Public-Key Cryptographyin the Fine-Grained Setting

Rio LaVigne1, Andrea Lincoln2, and Virginia Vassilevska Williams3

Abstract. Cryptography is largely based on unproven assumptions, which,while believable, might fail. Notably if P = NP , or if we live in Pessiland,then all current cryptographic assumptions will be broken. A compellingquestion is if any interesting cryptography might exist in Pessiland.A natural approach to tackle this question is to base cryptography on anassumption from fine-grained complexity. Ball, Rosen, Sabin, and Vasude-van [BRSV’17] attempted this, starting from popular hardness assump-tions, such as the Orthogonal Vectors (OV) Conjecture. They obtainedproblems that are hard on average, assuming that OV and other prob-lems are hard in the worst case. They obtained proofs of work, and hopedto use their average-case hard problems to build a fine-grained one-wayfunction. Unfortunately, they proved that constructing one using their ap-proach would violate a popular hardness hypothesis. This motivates thesearch for other fine-grained average-case hard problems.The main goal of this paper is to identify sufficient properties for a fine-grained average-case assumption that imply cryptographic primitives suchas fine-grained public key cryptography (PKC). Our main contributionis a novel construction of a cryptographic key exchange, together withthe definition of a small number of relatively weak structural properties,such that if a computational problem satisfies them, our key exchange hasprovable fine-grained security guarantees, based on the hardness of thisproblem. We then show that a natural and plausible average-case assump-tion for the key problem Zero-k-Clique from fine-grained complexity sat-isfies our properties. We also develop fine-grained one-way functions andhardcore bits even under these weaker assumptions.Where previous works had to assume random oracles or the existenceof strong one-way functions to get a key-exchange computable in O(n)time secure against O(n2) adversaries (see [Merkle’78] and [BGI’08]), our

1 MIT CSAIL and EECS, rio@mit.edu. This material is based upon work supportedby the National Science Foundation Graduate Research Fellowship under Grant No.1122374. Any opinion, findings, and conclusions or recommendations expressed inthis material are those of the authors(s) and do not necessarily reflect the views of theNational Science Foundation. Research also supported in part by NSF Grants CNS-1350619 and CNS-1414119, and by the Defense Advanced Research Projects Agency(DARPA) and the U.S. Army Research Office under contracts W911NF-15-C-0226 andW911NF-15-C-0236.

2 MIT CSAIL and EECS, andreali@mit.edu. This work supported in part by NSFGrants CCF-1417238, CCF-1528078 and CCF-1514339, and BSF Grant BSF:2012338.

3 MIT CSAIL and EECS, virgi@mit.edu. Partially supported by an NSF CareerAward, a Sloan Fellowship, NSF Grants CCF-1417238, CCF-1528078 and CCF-1514339, and BSF Grant BSF:2012338.

assumptions seem much weaker. Our key exchange has a similar gap be-tween the computation of the honest party and the adversary as priorwork, while being non-interactive, implying fine-grained PKC.

1 Introduction

Modern cryptography has developed a variety of important cryptographic prim-itives, from One-Way Functions (OWFs) to Public-Key Cryptography to Obfus-cation. Except for a few more limited information theoretic results [51, 20, 50],cryptography has so far required making a computational assumption, P 6=NP being a baseline requirement. Barring unprecedented progress in computa-tional complexity, such hardness hypotheses seem necessary in order to obtainmost useful primitives. To alleviate this reliance on unproven assumptions, itis good to build cryptography from a variety of extremely different, believableassumptions: if a technique disproves one hypothesis, the unrelated ones mightstill hold. Due to this, there are many different cryptographic assumptions: onfactoring, discrete logarithm, shortest vector in lattices and many more.

Unfortunately, almost all hardness assumptions used so far have the samequite stringent requirements: not only that NP is not in BPP, but that we mustbe able to efficiently sample polynomially-hard instances whose solution weknow. Impagliazzo [31, 47] defined five worlds, which capture the state of cryp-tography, depending on which assumptions happen to fail. The three worldsworst for cryptography are Algorithmica (NP in BPP), Heuristica (NP is not inBPP but NP problems are easy on average) and Pessiland (there are NP prob-lems that are hard on average but solved hard instances are hard to sample, andOWFs do not exist). This brings us to our main question.

Can we have a meaningful notion of cryptography even if we live in Pessiland (orAlgorithmica or Heuristica)?

This question motivates a weaker notion of cryptography: cryptographythat is secure against nk-time bounded adversaries, for a constant k. Let us seewhy such cryptography might exist even if P = NP. In complexity, for mostinteresting computational models, we have time hierarchy theorems that saythat there are problems solvable in O(n2) time (say) that cannot be solved inO(n2−ε) time for any ε > 0 [28, 30, 53]. In fact, such theorems exist also for theaverage case time complexity of problems [39]. Thus, even if P=NP, there areproblems that are hard on average for specific runtimes, i.e. fine-grained hard onaverage. Can we use such hard problems to build useful cryptographic primitives?

Unfortunately, the problems from the time hierarchy theorems are difficultto work with, a common problem in the search for unconditional results. Thus,let us relax our requirements and consider hardness assumptions, but this timeon the exact running time of our problems of interest. One simple approachis to consider all known constructions of Public Key Cryptography (PKC) todate and see what they imply if the hardness of the underlying problem is re-laxed to be nk−o(1) for a fixed k (as it would be in Pessiland). Some of the known

2

schemes are extremely efficient. For instance, the RSA and Diffie-Hellman cryp-tosystems immediately imply weak PKC if one changes their assumptions to beabout polynomial hardness [49, 23]. However, these cryptosystems have otherweaknesses – for instance, they are completely broken in a postquantum worldas Shor’s algorithm breaks their assumptions in essentially quadratic time [52].Thus, it makes sense to look at the cryptosystems based on other assumptions.Unfortunately, largely because cryptography has mostly focused on the gap be-tween polynomial and superpolynomial time, most reductions building PKChave a significant (though polynomial) overhead; many require, for example,multiple rounds of Gaussian elimination. As a simple example, the Goldreich-Levin construction for hard-core bits uses nω (where ω ∈ [2, 2.373) is the expo-nent of square matrix multiplication [55][26]) time and n calls to the hard-core-bit distinguisher [27]. The polynomial overhead of such reductions means thatif the relevant problem is only n2−o(1) hard, instead of super-polynomially hard,the reduction will not work anymore and won’t produce a meaningful crypto-graphic primitive. Moreover, reductions with fixed polynomial overheads areno longer composable in the same way when we consider weaker, polyno-mial gap cryptography. Thus, new, more careful cryptographic reductions areneeded.

Ball et al. [6, 7] recently began to address this issue through the lens of therecently blossoming field of fine-grained complexity. Fine-grained complexity isbuilt upon “fine-grained” hypotheses on the (worst-case) hardness of a smallnumber of key problems. Each of these key problems K, has a simple algo-rithm using a combination of textbook techniques, running in time T (n) oninstances of size n, in, say, the RAM model of computation. However, despitedecades of research, no O(T (n)1−ε) algorithm is known for any ε > 0 (notethat the tilde suppresses sub-polynomial factors). The fine-grained hypothesisfor K is then that K requires T (n)1−o(1) time in the RAM model of computa-tion. Some of the main hypotheses in fine-grained complexity (see [54]) set Kto be CNF-SAT (with T (n) = 2n, where n is the number of variables), or thek-Sum problem (with T (n) = ndk/2e), or the All-Pairs Shortest Paths problem(with T (n) = n3 where n is the number of vertices), or one of several versionsof the k-Clique problem in weighted graphs. Fine-grained uses fine-grainedreductions between problems in a very tight way (see [54]): if problem A hasrequires running time a(n)1−o(1), and one obtains an (a(n), b(n))-fine-grainedreduction fromA toB, then problemB needs runtime b(n)1−o(1). Using such re-ductions, one can obtain strong lower bounds for many problems, conditionedon one of the few key hypotheses.

The main question that Ball et al. set out to answer is: Can one use fine-grained reductions from the hard problems from fine-grained complexity to build usefulcryptographic primitives? Their work produced worst-case to average-case fine-grained reductions from key problems to new algebraic average case problems.From these new problems, Ball et al. were able to construct fine-grained proofsof work, but they were not able to obtain stronger cryptographic primitivessuch as fine-grained one-way-functions or public key encryption. In fact, they

3

gave a barrier for their approach: extending their approach would falsify theNondeterministic Strong Exponential Time Hypothesis (NSETH) of Carmosinoet al. [18]. Because of this barrier, one would either need to develop brand newtechniques, or use a different hardness assumption.

What kind of hardness assumptions can be used to obtain public-key cryptography(PKC) even in Pessiland?

A great type of theorem to address this would be: for every problem P thatrequires nk−o(1) time on average, one can construct a public-key exchange (say),for which Alice and Bob can exchange a lg(n) bit key in time O(nak), whereasEve must take n(a+g)k−o(1) time to learn Alice and Bob’s key, where g is large,and a is small. As a byproduct of such a theorem, one can obtain not just OWFs,but even PKC in Pessiland under fine-grained assumptions via the results ofBall et al. Of course, due to the limitations given by Ball et al. such an idealtheorem would have to refute NSETH, and hence would be at the very leastdifficult to prove. Thus, let us relax our goal, and ask

What properties are sufficient for a fine-grained average-case assumption so that itimplies fine-grained PKC?

If we could at least resolve this question, then we could focus our search forworst-case to average-case reductions in a useful way.

1.1 Our contributions

Our main result is a fine-grained key-exchange that can be formed from anyproblem that meets three structural conditions in the word-RAM model of com-putation. This addresses the question of what properties are sufficient to pro-duce fine-grained Public Key Encryption schemes (PKEs).

For our key exchange, we describe a set of properties, and any problem thathas those properties implies a polynomial gap PKE. An informal statement ofour main theorem is as follows.

Theorem. [Fine-Grained Key-Exchange (informal)] Let P be a computationalproblem for which a random instance can be generated in O(ng) time for someg, and that requires nk−o(1) time to be solved on average for some fixed k > g.Additionally, letP have three key structural properties of interest: (1) “plantable”:we can generate a random-looking instance, choosing either to have or not tohave a solution in the instance, and if there is a solution, we know what/whereit is; (2) “average-case list-hard”: given a list of n random instances of the prob-lem, returning which one of the instances has a solution requires essentiallysolving all instances; (3) “splittable”: when given an instance with a solution,we can split it in O(ng) time into two slightly smaller instances that both havesolutions.

Then a public key-exchange can be built such that Alice and Bob exchangea lg(n) bit key in time n2k−g , where as Eve must take Ω(n3k−2g) time to learn

4

Alice and Bob’s key.

Notice that as long as there is a gap between the time to generate a randominstance and the time to solve an instance on average, there is a gap betweenN = n2k−g and n3k−2g = N3/2−1/(4(k/g)−2) and the latter goes to N3/2, as k/ggrows. The key exchange requires no interaction, and we get a fine-grained pub-lic key cryptosystem. While our key exchange construction provides a relativelysmall gap between the adversary and the honest parties (O(N1.5) vs O(N)), thetechniques required to prove security of this scheme are novel and the result isgeneric as long as the three assumptions are satisfied. In fact, we will show analternate method to achieve a gap approaching O(N2) in the full version of thispaper.

Our main result above is stated formally and in more generality in Theorem5. We will explain the formal meaning of our structural properties plantable,average-case list-hard, and splittable later.

We also investigate what plausible average-case assumptions one might beable to make about the key problems from fine-grained complexity so that thethree properties from our theorem would be satisfied. We consider the Zero-k-Clique problem as it is one of the hardest worst-case problems in fine-grainedcomplexity. For instance, it is known that if Zero-3-Clique is inO(n3−ε) time forsome ε > 0, then both the 3-Sum and the APSP hypotheses are violated [54, 57].It is important to note that while fine-grained problems like Zero-k-Clique andk-Sum are suspected to take a certain amount of time in the worst case, whenmaking these assumptions for any constant k does not seem to imply P 6= NPsince all of these problems are still solveable in polynomial time.1

An instance of Zero-k-Clique is a complete k-partite graph G, where eachedge is given a weight in the range [0, R − 1] for some integer R. The prob-lem asks whether there is a k-clique in G whose edge weights sum to 0, mod-ulo R. A standard fine-grained assumption (see e.g. [54]) is that in the worstcase, for large enough R, say R ≥ 10n4k, Zero-k-Clique requires nk−o(1) timeto solve. Zero-k-Clique has no non-trivial average-case algorithms for naturaldistributions (uniform for a range of parameters, similar to k-Sum and Sub-set Sum). Thus, Zero-k-Clique is a natural candidate for an average-case fine-grained hard problem.

Our other contribution addresses an open question from Ball et al.: can afine-grained one-way function be constructed from worst case assumptions?While we do not fully achieve this, we generate new plausible average-case as-sumptions from fine-grained problems that imply fine-grained one-way func-tions.

1 Assuming the hardness of these problems for more general k will imply P 6= NP , butthat is not the focus of our work.

5

1.2 Previous Works

There has been much prior work leading up to our results. First, there are a fewresults using assumptions from fine-grained complexity and applying them tocryptography. Second, there has been work with the kind of assumptions thatwe will be using.

Fine-Grained Cryptography Ball et al. [6, 7] produce fine-grained wost-caseto average-case reductions. Ball et al. leave an open problem of producing aone-way-function from a worst case assumption. They prove that from somefine-grained assumptions building a one-way-function would falsify NSETH[18][6]. We avoid their barrier in this paper by producing a construction of bothfine-grained OWFs and fine-grained PKE from an average-case assumption.

Fine-Grained Key Exchanges. Fine-grained cryptography is a relatively unex-plored area, even though it had its start in the 1970’s with Merkle puzzles: thegap between honestly participating in the protocol versus breaking the securityguarantee was only quadratic [43]. Merkle originally did not describe a plau-sible hardness assumption under which the security of the key exchange canbe based. 30 years later, Biham, Goren, and Ishai showed how to implementMerkle puzzles by making an assumption of the existence of either a randomoracle or an exponential gap one way function [16]. That is, Merkle puzzleswere built under the assumption that a one-way function exists which takestime 2n(1/2+δ) to invert for some δ > 0. So while prior work indeed succeeded inbuilding a fine-grained key-exchange, it needed a very strong variant of OWFsto exist. It is thus very interesting to obtain fine-grained public key encryptionschemes based on a fine-grained assumption (that might even work in Pessi-land and below).

Another notion of Fine-Grained Cryptography. In 2016, work by Degwekar, Vaikun-tanathan, and Vasudevan [22] discussed fine-grained complexity with respectto both honest parties and adversaries restricted to certain circuit classes. Theyobtained constructions for some cryptographic primitives (including PKE) whenrestricting an adversary to a certain circuit class. From the assumption NC1 6=⊕L/poly they show Alice and Bob can be in AC0[2] while being secure againstNC1 adversaries. While [22] obtains some unconditional constructions, their se-curity relies on the circuit complexity of the adversary, and does not apply toarbitrary time-bounded adversaries as is usually the case in cryptography. Thatis, this restricts the types of algorithms an adversary is allowed to use beyondjust how much runtime these algorithms can have. It would be interesting toget similar results in the low-polynomial time regime, without restricting anadversary to a certain circuit class. Our results achieve this, though not uncon-ditionally.

Tight Security Reductions and Fine-Grained Crypto. Another area the world offine-grained cryptography collides with is that of tight security reductions in

6

cryptography. Bellare et.al. coined the term “concrete” security reductions in[14, 12]. Concrete security reductions are parametrized by time (t), queries (q),size (s), and success probability (ε). This line of work tracks how a reductionfrom a problem to a construction of some cryptographic primitive effects thefour parameters of interest. This started a rich field of study connecting the-ory to practical cryptographic primitives (such as PRFs, different instantiationsof symmetric encryption, and even IBE for example [10, 11, 36, 15]). In fine-grained reductions we also need to track exactly how our adversary’s advan-tage changes throughout our reductions, however, we also track the runningtime of the honest parties. So, unlike in the concrete security literature, whenthe hard problems are polynomially hard (perhaps because P = NP ), we cantrack the gap in running times between the honest and dishonest parties. Thisallows us to build one way functions and public key cryptosystems when thehard problems we are given are only polynomially hard.

Paper Assumptions Crypto RuntimePower ofAdversary

[43] Random Oracles* Key Exchange O(N) O(N2)

[16] Exponentially-Strong OWFs Key Exchange O(N) O(N2)

[7] WC 3-Sum, OV, APSP, or SETH Proof of Work O(N2) N/A

[This work] Zero-k-Clique or k-SumOWFs,Key Exch. & PKE

O(N)O(N)

O(N1+δ)

O(N1.5−δ)

[22] NC1 6= ⊕L/poly

OWFs, and PRGswith sublinearstretch, CRHFs,and PKE

NC1 NC1

NC1 6= ⊕L/poly PKE and CRHFsAC0[2] NC1

Unconditional

PRGs with polystretch, Symmetricencryption,and CRHFs

AC0 AC0

Figure 1: A table of previous works’ results in this area. There have been severalresults characterizing different aspects of fine-grained cryptography. *It was[16] who showed that Merkle’s construction could be realized with a randomoracle. However, Merkle presented the construction.

Similar Assumptions This paper uses hypotheses on the running times ofproblems that, while solvable in polynomial time, are variants of natural NP-hard problems, in which the size of the solution is a fixed constant. For instance,k-Sum is the variant of Subset Sum, where we are given n numbers and weneed to find exactly k elements that sum to a given target, and Zero-k-Clique is

7

the variant of Zero-Clique, in which we are given a graph and we need to findexactly k nodes that form a clique whose edge weights sum to zero.

With respect to Subset Sum, Impagliazzo and Naor showed how to directlyobtain OWFs and PRGs assuming that Subset Sum is hard on average [32]. TheOWF is f(a, s) = (a,a · s), where a is the list of elements (chosen uniformlyat random from the range R) and s ∈ 0, 1n represents the set of elementswe add together. In addition to Subset Sum, OWFs have also been constructedfrom planted Clique, SAT, and Learning-Parity with Noise [41, 34]. The con-structions from the book of Lindell and the chapter written by Barak [41] comefrom a definition of a “plantable” NP-hard problem that is assumed to be hardon average.

Although our OWFs are equivalent to scaled-down, polynomial-time solv-able characterizations of these problems, we also formalize the property thatallows us to get these fine-grained OWFs (plantability). We combine these NPconstructions and formalizations to lay the groundwork for fine-grained cryp-tography.

In the public-key setting, there has been relatively recent work taking NP-hard problems and directly constructing public-key cryptosystems [4]. Theytake a problem that is NP-hard in its worst case and come up with an average-case assumption that works well for their constructions. Our approach is simi-lar, and we also provide evidence for why our assumptions are correct.

In recent work, Subset Sum was also shown to directly imply public-keycryptography [42]. The construction takes ideas from Regev’s LWE construc-tion [48], turning a vector of subset sum elements into a matrix by writing eachelement out base q in a column. The subset is still represented by a 0-1 matrix,and error is handled by the lack of carrying digits. It is not clear how to directlytranslate this construction into the fine-grained world. First, directly convert-ing from Subset Sum to k-Sum just significantly weakens the security withoutadded benefit. More importantly, the security reduction has significant poly-nomial overhead, and would not apply in a very pessimistic Pessiland whererandom planted Subset Sum instances can be solved in quadratic time, say.

While it would be interesting to reanalyze the time-complexity of this con-struction (and others) in a fine-grained way, this is not the focus of our work.Our goal is to obtain novel cryptographic approaches exploiting the fine-grainednature of the problems, going beyond just recasting normal cryptography in thefine-grained world, and obtaining somewhat generic constructions.

1.3 Technical Overview

Here we will go into a bit more technical detail in describing our results. First,we need to describe our hardness assumptions. Then, we will show how to usethem for our fine-grained key exchange, and finally, we will talk briefly aboutfine-grained OWFs and hardcore bits.

Our Hardness Assumption We generate a series of properties where if a problemhas these properties then a fine-grained public key-exchange can be built.

8

One property we require is that the problem is hard on average, in a fine-grained sense. Intuitively, a problem is average case indistinguishably hard ifgiven an instance that is drawn with probability 1/2 from instances with nosolutions and with probability 1/2 from instances with one solution, it is com-putationally hard on average to distinguish whether the instance has 0 or 1solutions. The rest of the properties are structural; we need a problem that isplantable, average-case list-hard, and splittable. Informally,

– The plantable property roughly says that one can efficiently choose to gen-erate either an instance without a solution or one with a solution, knowingwhere the solution is;

– The average case list-hard property says that if one is given a list of in-stances where all but one of them are drawn uniformly over instances withno solutions, and a random one of them is actually drawn uniformly frominstances with one solution, then it is computationally hard to find the in-stance with a solution;

– Finally, the splittable property says that one can generate from one averagecase instance, two new average case instances that have the same numberof solutions as the original one.

These are natural properties for problems and hypotheses to have. We willdemonstrate in Section B.3 that Zero-k-Clique has all of these properties. Weneed our problem to have all three of these qualities for the key exchange. Forour one-way function constructions we only need the problem to be plantable.

The structural properties are quite generic, and in principle, there could bemany problems that satisfy them. We exhibit one: the Zero-k-Clique problem.

Because no known algorithmic techniques seem to solve Zero-k-Clique evenwhen the weights are selected independently uniformly at random from [0, cnk]for a constant c, folklore intuition dictates that the problem might be hard onaverage for this distribution: here, the expected number of k-Cliques is Θ(1),and solving the decision problem correctly on a large enough fraction of therandom instances seems difficult. This intuition was formally proposed by Pet-tie [46] for the very related k-Sum problem which we also consider.

We show that the Zero-k-Clique problem, together with the assumption thatit is fine-grained hard to solve on average, satisfies all of our structural prop-erties, and thus, using our main theorem, one can obtain a fine-grained keyexchange based on Zero-k-Clique.

Key Exchange Assumption. We assume that when given a complete k-partitegraph with kn nodes and random weights [0, R − 1], R = Ω(nk), any adver-sary running in time nk−Ω(1) time cannot distinguish an instance with a zero-k-clique solution from one without with more than 2/3 chance of success. Inmore detail, consider a distribution where with probability 1/2 one generatesa random instance of size n with no solutions, and with probability 1/2 onegenerates a random instance of size n with exactly one solution. (We later tiein this distribution to our original uniform distribution.) Then, consider an al-gorithm that can determine with probability 2/3 (over the distribution of in-stances) whether the problem has a solution or not. We make the conjecture

9

that such a 2/3-probability distinguishing algorithm for Zero-k-Clique, whichcan also exhibit the unique zero clique whenever a solution exists, requires timenk−o(1).

Public Key Exchange So, what does the existence of a problem with our threeproperties, plantable, average-case list-hard, and splittable, imply?

The intuitive statement of our main theorem is that, if a problem has thethree properties, and is nk hard to solve on average and can be generatedin ng time (for Zero-k-Clique g = 2), then a key exchange exists that takesO(N) time for Alice and Bob to execute, and requires an eavesdropper EveΩ(N (3k−2g)/(2k−g)) time to break. When k > g Eve takes super linear timein terms of N . When k = 3 and g = 2, an important case for the Zero-k-Clique problem, Eve requires Ω(N5/4) time.

For the rest of this overview we will describe our construction with the prob-lem Zero-k-Clique.

To describe how we get our key exchange, it is first helpful to considerMerkle Puzzles [43, 16, 8]. The idea is simple: let f be a one way permutationover n bits (so a range of 2n values) requires 2n(

12+ε) time to invert for some

constant ε > 0. Then, Alice and Bob could exchange a key by each computingf(v) on 10 ·2n/2 random element v ∈ [2n] and sending those values f(v) to eachother. With .9 probability, Alice and Bob would agree on at least one pre-image,v. It would take an eavesdropper Eve Ω(2n(

12+ε)) time before she would be able

to find the v agreed upon by Alice and Bob. So, while Alice and Bob must takeO(2n/2) time, Eve must take O(2n(

12+ε)) time to break it.

Our construction will take on a similar form: Alice and Bob will send sev-eral problems to each other, and some of them will have planted solutions. Bymatching up where they both put solutions, they get a key exchange.

Concretely, Alice and Bob will exchangem instances of the Zero-k-Clique prob-lem and in

√m of them (chosen at random), plant solutions. The other m−

√m

will not have solutions (except with some small probability). Thesem problemswill be indexed, and we expect Alice and Bob to have both planted a solutionin the same index. Alice can check her

√m indices against Bob’s, while Bob

checks his, and by the end, with constant probability, they will agree on a sin-gle index as a key. In the end, Alice and Bob require O(mng +

√mnk) time to

exchange this index. Eve must take time Ω(nkm). When m = n2k−2g , Alice andBob take O(n2k−g) time and Eve takes Ω(n3k−2g). We therefore get some gapbetween the running time of Alice and Bob as compared to Eve for any valueof k ≥ g. Furthermore, for all δ > 0 there exists some large enough k such thatthe difference in running time is at least O(T (n)) time for Alice and Bob andΩ(T (n)1.5−δ) time for Eve. Theorem 5 is the formal theorem statement.

To show hardness for this construction we combine techniques from bothfine-grained complexity and cryptography (see Figure 2). We take a single in-stance and use a self-reduction to produce a list of ` instances where one hasa solution whp if the original instance has a solution. In our reductions ` willbe polynomial in the input size. Then, we take this list and produce two lists

10

Figure 2: A depiction of our reduction showing hardness for our fine-grainedkey exchange.

that have a solution in the same location with high probability if the originalinstance has a solution. Finally, we plant

√` solutions into the list, to simulate

Alice and Bob’s random solution planting.

One Way Functions First, and informally, a fine-grained OWF is a function on nbits that requires O(T (n)1−δ) time to evaluate for some constant δ > 0, and ifany adversary attempts to invert f in time O(T (n)1−δ

′) for any constant δ′ > 0,

she only succeeds with probability at most ε(n), where ε is considered “insignif-icant.”

Ball et al. [6] defined fine-grained OWFs, keeping track of the time requiredto invert and the probability of inversion in two separate parameters. We stream-line this definition by fixing the probability an adversary inverts too an insignif-icant function of input size, which we define in Section 2.

For this overview, we will focus on the intuition of using specific problemsk-Sum-R (k-Sum modulo R) or Zero-k-Clique-R (Zero-k-Clique modulo R) toget fine-grained OWFs, though in section A, we construct fine-grained OWFsfrom a general class of problems. Let N be the size of the input to these prob-lems. Note that if R is too small (e.g. constant), then these problems are solv-able quickly and the assumptions we are using are false. So, we will assumeR = Ω(nk).

OWF Assumptions. Much like for our key exchange, our assumptions areabout the difficulty of distinguishing an instance of k-Sum or Zero-k-Clique withprobability more than 2/3 in time faster than nk/2 or nk respectively. Formally,randomly generating a k-Sum-R instance is creating a k lists of size n withvalues randomly chosen from [0, R− 1]. Recall that a random Zero-k-Clique in-stance is a complete k-partite graph where weights are randomly chosen from[0, R− 1]. Our ‘weak’ k-Sum-R and Zero-k-Clique-R assumptions state that forany algorithm running in O(n) time, it cannot distinguish between a randomly

11

generated instance with a planted solution and one without with probabilitygreater than 2/3.

Note that these assumptions are much weaker than the previously describedkey-exchange assumption, where we allowed the adversary O(nk−Ω(1)) timeinstead of just super-linear.

Theorem 1 (Fine-Grained OWFs (informal)). If for some constant δ > 0 andrange R = Ω(nk) either k-Sum-R requires Ω(N1+δ) time to solve with probability> 2/3 or Zero-k-Clique-R requires Ω(N (1+δ)) time to solve with probability > 2/3then a fine-grained OWF exists.

The formal theorem is Theorem 8 and is proved in Appendix A.2.Intuitively our construction of a fine-grained OWF runs a planting proce-

dure on a random instance in timeO(N). By our assumptions finding this solu-tion takes time Ω(N1+δ) for some constant δ > 0, and thus inverting this OWFtakes Ω(N1+δ).

We also get a notion of hardcore bits from this. Unlike in traditional crypto,we can’t immediately use Goldreich-Levin’s hardcore bit construction [27]. Givena function on N bits, the construction requires at least Ω(N) calls to the ad-versary who claims to invert the hardcore bit. When one is seeking super-polynomial gaps between computation and inversion of a function, factors ofN can be ignored. However, in the fine-grained setting, factors of N can com-pletely eliminate the gap between computation and inversion, and so having anotion of fine-grained hardcore bits is interesting.

We show that for our concrete constructions of fine-grained OWFs, there isa subset of the input of size O(lg(N)) (or any sub-polynomial function) whichitself requires Ω(N1+δ) time to invert. From this subset of bits we can useGoldreich-Levin’s hardcore bit construction, only losing a factor ofNo(1) whichis acceptable in the fine-grained setting.

Theorem 2 (Hardcore Bits (informal)). If for some constant δ > 0 and range R =Ω(nk) either k-Sum-R requiresΩ(N1+δ) time to solve with probability> 2/3 or Zero-k-Clique-R requires Ω(N1+δ) time to solve with probability > 2/3 then a fine-grainedOWF exists with a hardcore bit that can not be guessed with probability greater than12 + 1/q(n) for any q(n) = no(1).

The formal theorem is Theorem 10 and is proved in Appendix A.3.Intuitively, solutions for k-Sum-R and Zero-k-Clique-R can be described in

O(log(n)) bits — we just list the locations of the solution. Given a solution forthe problem, we can just change one of the weights and use the solution locationto produce a correct preimage. So, now using Goldreich-Levin, we only need tomake O(log(n)) queries during the security reduction.

1.4 Organization of Paper

In section 2 we define our notions of fine-grained crypto primitives, includingfine-grained OWFs, fine-grained hardcore bits, and fine-grained key exchanges.

12

In section 3, we describe a few classes of general assumptions (plantable, split-table, and average-case list hard), and then describe the concrete fine-grainedassumptions we use (k-Sum and Zero-k-Clique). Next, in section 4 we showthat the concrete assumptions we made imply certain subsets of the general as-sumptions. In section 5, we show that using an assumption that is plantable,splittable, and average-case list hard, we can construct a fine-grained key ex-change.

In the supplementary appendix section A, we show how to use a plantableproblem to get a fine-grained OWF. In supplementary materials section B weshow that Zero-k-Clique has all of the desired properties (plantable, splittable,and average-case list hard).

2 Preliminaries: Model of Computation and Definitions

The running times of all algorithms are analyzed in the word-RAM model ofcomputation, where simple operations such as +,−, ·, bit-shifting, and mem-ory access all require a single time-step.

Just as in normal exponential-gap cryptography we have a notion of prob-abilistic polynomial-time (PPT) adversaries, we can similarly define an adver-sary that runs in time less than expected for our fine-grained polynomial-timesolvable problems. This notion is something we call probabilistic fine-grainedtime (or PFT). Using this notion makes it easier to define things like OWFs anddoesn’t require carrying around time parameters through every reduction.

Definition 1. An algorithm A is an T (n) probabilistic fine-grained time, PFTT (n),algorithm if there exists a constant δ > 0 such that A runs in time O(T (n)1−δ).

Note that in this definition, assuming T (n) = Ω(n), any sub-polynomial factorscan be absorbed into δ.

Additionally, we will want a notion of negligibility that cryptography has.Recall that a function negl(n) is negligible if for all polynomials Q(n) and suf-ficiently large n, negl(n) < 1/Q(n). We will have a similar notion here, but wewill use the words significant and insignificant corresponding to non-negligibleand negligible respectively.

Definition 2. A function sig(n) is significant if

sig(n) =1

no(1).

A function insig(n) is insignificant if for all significant functions sig(n) and suffi-ciently large n,

insig(n) < sig(n).

Note that for every polynomial f , 1/f(n) is insignificant. Also notice that if aprobability is significant for an event to occur after some process, then we onlyneed to run that process a sub-polynomial number of times before the event

13

will happen almost certainly. This means our run-time doesn’t increase evenin a fine-grained sense; i.e. we can boost the probability of success of a ran-domized algorithm running in O(T (n)) from 1/ log(n) to O(1) just by repeatingit O(log(n)) times, and still run in O(T (n)) time (note that ‘ ˜ ’ suppresses allsub-polynomial factors in this work).

2.1 Fine-Grained Symmetric Crypto Primitives

Ball et all defined fine-grained one-way functions (OWFs) in their work from2017 [6]. They parameterize their OWFs with two functions: an inversion-timefunction T (n) (how long it takes to invert the function on n bits), and an probability-of-inversion function ε; given T (n)1−δ

′time, the probability any adversary can

invert is ε(T (n)1−δ′). The computation time is implicitly defined to be anything

noticeably less than the time to invert: there exists a δ > 0 and algorithm run-ning in time T (n)1−δ such that the algorithm can evaluate f .

Definition 3 ((δ, ε)-one-way functions). A function f : 0, 1∗ → 0, 1∗ is (δ, ε)-one-way if, for some δ > 0, it can be evaluated on n bits in O(T (n)1−δ) time, but forany δ′ > 0 and for any adversary A running in O(T (n)1−δ

′) time and all sufficiently

large n,Pr

x←0,1n

[A(f(x)) ∈ f−1(f(x))

]≤ ε(n, δ).

Using our notation of PFTT (n), we will similarly define OWFs, but withone fewer parameter. We will only be caring about T (n), the time to invert,and assume that the probability an adversary running in time less than T (n)inverts with less time is insignificant. We will show later, in section A, that wecan compile fine-grained one-way functions with probability of inversion ε ≤1− 1

no(1) into ones with insignificant probability of inversion. So, it makes senseto drop this parameter in most cases.

Definition 4. A function f : 0, 1∗ → 0, 1∗ is T (n) fine-grained one-way (isan T (n)-FGOWF) if there exists a constant δ > 0 such that it takes time T (n)1−δ

to evaluate f on any input, and there exists a function ε(n) ∈ insig(n), and for allPFTT (n) adversaries A,

Prx←0,1n

[A(f(x)) ∈ f−1(f(x))

]≤ ε(n).

With traditional notions of cryptography there was always an exponentialor at least super-polynomial gap between the amount of time required to eval-uate and invert one-way functions. In the fine-grained setting we have a poly-nomial gap to consider.

Definition 5. The (relative) gap of an T (n) fine-grained one-way function f is theconstant δ > 0 such that it takes T (n)1−δ to compute f but for all PFTT (n) adversariesA,

Prx←0,1n

[A(f(x)) ∈ f−1(f(x))

]≤ insig(n).

14

2.2 Fine-Grained Asymmetric Crypto Primitives

In this paper, we will propose a fine-grained key exchange. First, we will showhow to do it in an interactive manner, and then remove the interaction. Remov-ing this interaction means that it implies fine-grained public key encryption!Here we will define both of these notions: a fine-grained non-interactive keyexchange, and a fine-grained, CPA-secure public-key cryptosystem.

First, consider the definition of a key exchange, with interaction. This def-inition is modified from [16] to match our notation. We will be referring to atranscript generated by Alice and Bob and the randomness they used to gener-ate it as a “random transcript”.

Definition 6 (Fine-Grained Key Exchange). A (T (n), α, γ)-FG-KeyExchange isa protocol, Π , between two parties A and B such that the following properties hold

– Correctness. At the end of the protocol, A and B output the same bit (bA = bB)except with probability γ;

PrΠ,A,B

[bA = bB ] ≥ 1− γ

This probability is taken over the randomness of the protocol, A, and B.– Efficiency. There exists a constant δ > 0 such that the protocol for both parties

takes time O(T (n)1−δ).– Security. Over the randomness of Π , A, and B, we have that for all PFTT (n)

eavesdroppers E has advantage α of guessing the shared key after seeing a randomtranscript. Where a transcript of the protocol Π is denoted Π(A,B).

PrA,B

[E(Π(A,B)) = bB ] ≤1

2+ α

A Strong (T (n))-FG-KeyExchange is a (T (n), α, γ)-FG-KeyExchange where αand γ are insignificant. The key exchange is considered weak if it is not strong.

This particular security guarantee protects against chosen plaintext attacks.But first, we need to define what we mean by a fine-grained public key cryp-tosystem.

Definition 7. An T (n)-fine-grained public-key cryptosystem has the followingthree algorithms.

KeyGen(1λ) Outputs a public-secret key pair (pk, sk).Enc(pk,m) Outputs an encryption of m, c.Dec(sk, c) Outputs a decryption of c, m.

These algorithms must have the following properties:

– They are efficient. There exists a constant δ > 0 such that all three algorithms runin time O

(T (n)1−δ

).

15

– They are correct. For all messages m,

PrKeyGen,Enc,Dec

[Dec(sk,Enc(pk,m)) = m|(pk, sk)← KeyGen(1λ)] ≥ 1−insig(n).

The cryptosystem is CPA-secure if any PFTT (n) adversary A has an insignificantadvantage in winning the following game:

1. Setup. A challenger C runs KeyGen(1n) to get a pair of keys, (pk, sk), and sendspk to A.

2. Challenge. A gives two messages m0 and m1 to the challenger. The challengerchooses a random bit b $← 0, 1 and returns c← Enc(pk,mb) to A.

3. Guess. A outputs a guess b′ and wins if b′ = b.

3 Average Case Assumptions

Below we will describe four general properties so that any assumed-to-be-hardproblem that satisfies them can be used in our later constructions of one-wayfunctions and cryptographic key exchanges. We will also propose two concreteproblems with believable fine-grained hardness assumptions on it, and we willprove that these problems satisfy some, if not all, of our general properties.

Let us consider a search or decision problem P . Any instance of P could po-tentially have multiple witnesses/solutions. We will restrict our attention onlyto those instances with no solutions or with exactly one solution. We define thenatural uniform distributions over these instances below.

Definition 8 (General Distributions). Fix a size n and a search problem P . DefineD0(P, n) as the uniform distribution over the set S0, the set of all P -instances of sizen that have no solutions/witnesses. Similarly, let D1(P, n) denote the uniform distri-bution over the set S1, the set of all P -instances of size n that have exactly one uniquesolution/witness. When P and n are clear from the context, we simply use D0 and D1.

3.1 General Useful Properties

We now turn our attention to defining the four properties that a fine-grainedhard problem needs to have, in order for our constructions to work with it.

To be maximally general, we present definitions often with more than oneparameter. The four properties are: average case indistinguishably hard, plantable,average case list-hard and splittable.

We state the formal definitions. In these definitions you will see constants forprobabilities. Notably 2/3 and 1/100. These are arbitrary in that the propertieswe need are simply that 1/2 < 2/3 and 2/3 is much less than 1−1/100. We laterboost these probabilities and thus only care that there are constant gaps.

Definition 9 (Average Case Indistinguishably Hard). For a decision or searchproblem P and instance size n, let D be the distribution drawing with probability 1/2from D0(P, n) and 1/2 from D1(P, n).

16

Let val(I) = 0 if I is from the support of D0 and let val(I) = 1 if I is from thesupport of D1.

P is Average Case Indistinguishably Hard in time T (n) (T (n)-ACIH) if T (n) =Ω(n) and for any PFTT (n) algorithm A

PrI∼D

[A(I) = val(I)] ≤ 2/3.

We also define a similar notion for search problems. Intuitively, it is hardto find a ‘witness’ for a problem with a solution, but we need to define what awitness is and how to verify a witness in the fine-grained world.

Definition 10 (Average Case Search Hard). For a search problem P and instancesize n, let D1 = D1(P, n).

Let wit(I) denote an arbitrary witness of an instance I with at least one solution.P is Average Case Search Hard in time T (n) if T (n) = Ω(n) and

– there exists a PFTT (n) algorithm V (a fine-grained verifier) such that V (I, wit(I)) =1 if I has a solution and wit(I) is a witness for it and 0 otherwise

– and for any PFTT (n) algorithm A

PrI∼D1

[A(I) = wit(I)] ≤ 1/100.

Note that ACIH implies ACSH, but not the other way around. In fact, givendifficulties in dealing with problems in the average case, getting search-to-decision reductions seems very difficult.

Our next definition describes a fine-grained version of a problem (or rela-tion) being ‘plantable’ [41]. The definition of a plantable problem from Lindell’sbook states that a plantable NP-hard problem is hard if there exists a PPT sam-pling algorithm G. G produces both a problem instance and a correspondingwitness (x, y), and over the randomness of G, any other PPT algorithm has anegligible chance of finding a witness for x.

There are a couple of differences between our definition and the plantabledefinition from Lindell’s book the [41]. First, we will of course have to put afine-grained spin on it: our problem is solvable in time T (n) and so we willneed to be secure against PFTT (n) adversaries. Second, we will be focusing ona decision-version of our problems, as indicated by definition 9. Intuitively, oursampler (Generate) will also take in a bit b to determine whether or not it pro-duces an instance of the problem that has a solution or does not.

Definition 11 (Plantable ((G(n), ε)-Plantable)). A T (n)-ACIH or T (n)-ACSHproblem P is plantable in timeG(n) with error ε if there exists a randomized algorithmGenerate that runs in time G(n) such that on input n and b ∈ 0, 1, Generate(n, b)produces an instance of P of size n drawn from a distribution of total variation distanceat most ε from Db(P, n).

If it is a T (n)−ACSH problem, then Generate(n, 1) also needs to output a witnesswit(I), in addition to an instance I .

17

We now introduce the List-Hard property. Intuitively, this property statesthat when given a list of length `(n) of instances of P , it is almost as hard todetermine if there exists one instance with a solution as it is to solve an instanceof size `(n) · n.

Definition 12 (Average Case List-hard ((T (n), `(n), δLH)-ACLH)). A T (n)-ACIH or T (n)-ACSH problem P is Average Case List Hard in time T (n) with listlength `(n) if `(n) = nΩ(1), and for every PFT`(n)·T (n) algorithm A, given a list of`(n) instances, I = I1, I2, . . . , I`(n), each of size n distributed as follows: i $← [`(n)]and Ii ∼ D1(P, n) and for all j 6= i, Ij ∼ D0(P, n);

PrI[A(I) = i] ≤ δLH .

It’s worth noting that this definition is nontrivial only if `(n) = nΩ(1). Oth-erwise `(n)T (n) = O(T (n)), since `(n) would be sub-polynomial.

We now introduce the splittable property. Intuitively a splittable problemhas a process in the average case to go from one instance I into a pair of aver-age looking problems with the same number of solutions. We use the splittableproperty to enforce that a solution is shared between Alice and Bob, which be-comes the basis of Alice and Bob’s shared key (see Figure 2).

Definition 13 ((Generalized) Splittable). A T (n)-ACIH problem P is generalizedsplittable with error ε, to the problem P ′ if there exists a PFTT (n) algorithm Split anda constant m such that

– when given aP -instance I ∼ D0(P, n), Split(I) produces a list of lengthm of pairsof instances (I11 , I12 ), . . . , (Im1 , Im2 ) where ∀i ∈ [1,m] Ii1, I

i2 are drawn from a

distribution with total variation distance at most ε from D0(P′, n)×D0(P

′, n).– when given an instance of a problem I ∼ D1(P, n), Split(I) produces a list of

length m of pairs of instances (I11 , I12 ), . . . , (Im1 , Im2 ) where ∃i ∈ [1,m] suchthat Ii1, Ii2 are drawn from a distribution with total variation distance at most εfrom D1(P

′, n)×D1(P′, n).

3.2 Concrete Hypothesis

Problem Descriptions Two key problems within fine-grained complexity are thek-Sum problem and the Zero-k-Clique problem.

Given k lists of n numbers L1, . . . , Lk, the k-Sum problem asks, are therea1 ∈ L1, . . . , ak ∈ Lk so that

∑kj=1 aj = 0. The fastest known algorithms for k-

Sum run in ndk/2e−o(1) time, and this running time is conjectured to be optimal,in the worst case (see e.g. [44, 2, 54]).

The Zero-k-Clique problem is, given a graph G on n vertices and integeredge weights, determine whether G contains k vertices that form a k-cliqueso that the sum of all the weights of the clique edges is 0. The fastest knownalgorithms for this problem run in nk−o(1) time, and this is conjectured to beoptimal in the worst case (see e.g. [5], [1], [40], [17]). As we will discuss later,

18

Zero-k-Clique and k-Sum are related. In particular, it is known [56] that if 3-Sum requires n2−o(1) time, then Zero-3-Clique requires n3−o(1) time. Zero-3-Clique is potentially even harder than 3-Sum, as other problems such as All-Pairs Shortest Paths are known to be reducible to it, but not to 3-Sum.

A folklore conjecture states that when the 3-Sum instance is formed by draw-ing n integers uniformly at random from −n3, . . . , n3 no PFTn2 algorithm cansolve 3-Sum on a constant fraction of the instances. This, and more related con-jectures were explicitly formulated by Pettie [46].

We propose a new hypothesis capturing the folklore intuition, while draw-ing some motivation from other average case hypotheses such as Planted Clique.For convenience, we consider the k-Sum and Zero-k-Clique problems moduloa number; this variant is at least as hard to solve as the original problems overthe integers: we can reduce these original problems to their modular versionswhere the modulus is only k (for k-Sum) or

(k2

)(for Zero-k-Clique) times as

large as the original range of the numbers.We will discuss and motivate our hypotheses further in Section 4.

Definition 14. An instance of the k-Sum problem over range R, k-Sum-R, consistsof kn numbers in k lists L1, . . . , Lk. The numbers are chosen from the range [0, R−1].A solution of a k-Sum-R instance is a set of k numbers a1 ∈ L1, . . . , ak ∈ Lk suchthat their sum is zero mod R,

∑ki=1 ai ≡ 0 mod R.

We will also define the uniform distributions over k-Sum instances that havea certain number of solutions. We define two natural distributions over k-Sum-R instances.

Definition 15. Define Dksumuniform[R,n] be the distribution of instances obtained by pick-

ing each integer in the instance uniformly at random from the range [0, R− 1].Define Dksum

0 [R,n] = D0( k-Sum-R,n) to be the uniform distribution over k-Sum-R instances with no solutions. Similarly, let Dksum

1 [R,n] = D1( k-Sum-R,n)to be the uniform distribution over k-Sum-R instances with 1 solution.

The distribution Dksum[R, i, n] is the uniform distribution over k-Sum instanceswith n values chosen modulo R and where there are exactly i distinct solutions.

Let Dksum0 [R,n] = Dksum[R, 0, n], and Dksum

1 [R,n] = Dksum[R, 1, n].

We now proceed to define the version of Zero-k-Clique that we will be us-ing. In addition to working modulo an integer, we restrict our attention to k-partite graphs. In the worst case, the Zero-k-Clique on a general graph reducesto Zero-k-Clique on a complete k-partite graph 2[3].

Definition 16. An instance of Zero-k-Clique-R consists of a k-partite graph with knnodes and partitions P1, . . . , Pk. The k-partite graph is complete: there is an edge be-tween a node v ∈ Pi and a node u ∈ Pj if and only if i 6= j. Thus, every instance has(k2

)n2 edges. The weights of the edges come from the range [0, R− 1].

2 This reduction is done using color-coding ([3]), an example of this lemma exists in thepaper “Tight Hardness for Shortest Cycles and Paths in Sparse Graphs” [40].

19

A solution in a Zero-k-Clique-R instance is a set of k nodes v1 ∈ P1, . . . , vk ∈ Pksuch that the sum of all the weights on the

(k2

)edges in the k-clique formed by v1, . . . , vk

is congruent to zero mod R:∑i∈[1,k]

∑j∈[1,k] and j 6=i w(vi, vj) ≡ 0 mod R. A solu-

tion is also called a zero k-clique.

We now define natural distributions over Zero-k-Clique-R instances, similarto those we defined for k-Sum-R. We will additionally define the distributionsof these instances in which a certain number of solutions appear.

Definition 17. Define Dzkcuniform[R,n] to be the distribution of instances obtained by

picking each integer edge weight in the instance uniformly at random from the range[0, R− 1].

Define Dzkc0 [R,n] = D0(Zero-k-Clique-R,n) to be the uniform distribution over

Zero-k-Clique-R instances with no solutions. Similarly, let Dzkc1 [R,n] = D1(Zero-

k-Clique-R,n) to be the uniform distribution over Zero-k-Clique-R instances with 1solution.

The distribution is Dzkc[R, i, n] the uniform distribution over zero k-clique in-stances on kn nodes with weights chosen modulo R and where there are exactly i dis-tinct zero k-cliques in the graph. Let Dzkc

0 [R,n] = Dzkc[R, 0, k] and Dzkc1 [R,n] =

Dzkc[R, 1, k].

Weak and Strong Hypotheses The strongest hypothesis that one can make is thatthe average case version of a problem takes essentially the same time to solveas the worst case variant is hypothesized to take. The weakest but still usefulhypothesis that one could make is that the average case version of a problemrequires super-linear time. We formulate both such hypotheses and derive mean-ingful consequences from them.

We state the weak versions in terms of decision problems and the strongversion in terms of search problems. This is for convenience of presenting re-sults. Our fine-grained one-way functions and fine-grained key exchanges canboth be built using the search variants. We make these choices for clarity ofpresentation later on.

Definition 18 (Weak k-Sum-R Hypothesis ). There exists some large enough con-stant c such that for all constants c′ > c, distinguishingDksum

0 [c′R,n] and Dksum1 [c′R,n] is n1+δ-ACIH for some δ > 0.

Definition 19 (Weak Zero-k-Clique-RHypothesis ). There exists some large enoughconstant c such that for all constants c′ > c, distinguishingDzkc

0 [c′R,n] andDzkc1 [c′R,n]

is n2+δ-ACIH for some δ > 0.Notice that the Zero-k-Clique-R problem is of size O(n2).

Definition 20 (Strong Zero-k-Clique-R Hypothesis for range nck). For all c >1, given an instance I drawn from the distribution Dzkc

1 [nck, n] where the witness (so-lution) is the single zero k-clique is formed by nodes v1, . . . , vk, finding v1, . . . , vkis nk-ACSH.

20

Some may find the assumption with range nk to be the most believable as-sumption. This is where the probability of a Zero-k-Clique existing at all is aconstant.

Definition 21 (Random Edge Zero-k-Clique Hypothesis ). Let sol(I) be a func-tion over instances of Zero-k-Clique problems where sol(I) = 0 if there are no zero k-cliques and sol(I) = 1 if there is at least one zero k-clique. Let wit(I) be a zero k-cliquein I , if one exists. Given an instance I drawn from the distributionDzkc

uniform[nk, n] there

is some large enough n such that for any PFTnk algorithm A

PrI∼D

[A(I) = wit(I)|sol(I) = 1] ≤ 1/200.

Theorem 3. Strong Zero-k-Clique-R Hypothesis for range R = nck is implied by theRandom Edge Random Edge Zero-k-Clique Hypothesis if c > 1 is a constant.

The proof of this Theorem is in the appendix in Theorem 15. 3

4 Our assumptions - background and justification

In this section, we justify making average-case hardness assumptions for k-SUM and Zero k-Clique — and why we do not for other fine-grained problems.We start with some background on these problems, and then justify why ourhypotheses are believable.

4.1 Background for Fine-Grained Problems

Among the most popular hypotheses in fine-grained complexity is the one con-cerning the 3-Sum problem defined as follows: given three lists A,B and C of nnumbers each from −nt, . . . , nt for large enough t, determine whether thereare a ∈ A, b ∈ B, c ∈ C with a+b+c = 0. There are multiple equivalent variantsof the problem (see e.g. [25]).

The fastest 3-Sum algorithms run in n2(log log n)O(1)/ log2 n time (Baran,Demaine and Patrascu for integer inputs [9], and more recently Chan’18 forreal inputs [19]). Since the 1990s, 3-Sum has been an important problem in com-putational geometry. Gajentaan and Overmars [25] formulated the hypothesisthat 3-Sum requires quadratic time (nowadays this means n2−o(1) time on aword-RAM with O(log n) bit words), and showed via reductions that manygeometry problems also require quadratic time under this hypothesis. Theirwork spawned many more within geometry. In recent years, many more con-sequences of this hypothesis have been derived, for a variety of non-geometricproblems, such as sequence local alignment [1], triangle enumeration [44, 37],and others.

As shown by Vassilevska Williams and Williams [56], 3-Sum can be reducedto a graph problem, 0-Weight Triangle, so that if 3-Sum requires n2−o(1) time on

3 Thank you to Russell Impagliazzo for discussions related to the sizes of ranges R.

21

inputs of size n, then 0-Weight Triangle requiresN3−o(1) time inN -node graphs.In fact, Zero-Weight Triangle is potentially harder than 3-Sum, as one can alsoreduce to it the All-Pairs Shortest Paths (APSP) problem, which is widely be-lieved to require essentially cubic time in the number of vertices. There is noknown relationship (via reductions) between APSP and 3-Sum.

The Zero-Weight Triangle problem is as follows: given an n-node graph withedge weights in the range −nc, . . . , nc for large enough c, denoted by thefunction w(·, ·), are there three nodes p, q, r so that w(p, q) + w(q, r) + w(r, p) =0? Zero-Weight Triangle is just Zero-3-Clique where the numbers are from apolynomial range.

An equivalent formulation assumes that the input graph is tripartite andcomplete (between partitions).

Both 3-Sum and Zero-Weight Triangle have generalizations for k ≥ 3: k-Sumand Zero-Weight k-Clique, defined in the natural way: (1) given k lists of nnumbers each from −nck, . . . , nck for large c, are there k numbers, one fromeach list, summing to 0? and (2) given a complete k-partite graph with edgeweights from −nkc, . . . , nkc for large c, is there a k-clique with total weightsum 0?

4.2 Justifying the Hardness of Some Average-Case Fine-Grained Problems

The k-Sum problem is conjectured to require ndk/2e−o(1) time (for large enoughweights), and the Zero-Weight k-Clique problem is conjectured to require nk−o(1)

time (for large enough weights), matching the best known algorithms for bothproblems (see [54]). Both of these conjectures have been used in fine-grainedcomplexity to derive conditional lower bounds for other problems (e.g. [5], [1],[40], [17]).

It is tempting to conjecture average-case hardness for the key hard prob-lems within fine-grained complexity: Orthogonal Vectors (OV), APSP, 3-Sum.However, it is known that APSP is not hard on average, for many natural dis-tributions (see e.g. [45, 21]), and OV is likely not (quadratically) hard on average(see e.g. [35]).

On the other hand, it is a folklore belief that 3-Sum is actually hard onaverage. In particular, if one samples n integers uniformly at random from−cn3, . . . , cn3 for constant c, the expected number of 3-Sums in the instanceisΘ(1), and there is no known truly subquadratic time algorithm that can solve3-Sum reliably on such instances. The conjecture that this is a hard distributionfor 3-Sum was formulated for instance by Pettie [46].

The same folklore belief extends to k-Sum. Here a hard distribution seemsto be to generate k lists uniformly from a large enough range −cnk, . . . , cnk,so that the expected number of solutions is constant.

Due to the tight relationship between 3-Sum and Zero-Weight Triangle, onemight also conjecture that uniformly generated instances of the latter problemare hard to solve on average. In fact, if one goes through the reductions fromthe worst-case 3-Sum problem to the worst-case Zero-Weight Triangle, via the3-Sum Convolution problem [44, 57] starting from an instance of 3-Sum with

22

numbers taken uniformly at random from a range, then one obtains a list ofZero-Weight Triangle instances that are essentially average-case. This is easierto see in the simpler but less efficient reduction in [57] which from a 3-Sum in-stance creates n1/3 instances of (complete tripartite) Zero-Weight Triangle onO(n2/3) nodes each and whose edge weights are exactly the numbers from the3-Sum instance. Thus, at least for k = 3, average-case hardness for 3-Sum isstrong evidence for the average-case hardness for Zero-Weight Triangle.

In Appendix 15 we give a reduction between uniform instances of uniformZero-Weight k-Clique with range Θ(nk) and instances of planted Zero-Weightk-Clique with large range. Working with instances of planted Zero-Weight k-Clique with large range is easier for our hardness constructions, so we use thosein most of this paper.

Justifying the Hardness of Distinguishing. Now, our main assumptionsconsider distinguishing between the distributions D0 and D1 for 3-Sum andZero-Weight Triangle. Here we take inspiration from the Planted Clique as-sumption from Complexity [29, 33, 38]. In Planted Clique, one first generatesan Erdos-Renyi graph that is expected to not contain large cliques, and thenwith probability 1/2, one plants a clique in a random location. Then the asser-tion is that no polynomial time algorithm can distinguish whether a clique wasplanted or not.

We consider the same sort of process for Zero-k-Clique. Imagine that wefirst generate a uniformly random instance that is expected to have no zero k-Cliques, by taking the edge weights uniformly at random from a large enoughrange, and then we plant a zero k-Clique with probability 1/2 in a random loca-tion. Similarly to the Planted Clique assumption, but now in a fine-grained way,we can assume that distinguishing between the planted and the not-plantedcase is computationally difficult.

Our actual hypothesis is that when one picks an instance that has no zero k-Cliques at random with probability 1/2 and picks one that has a zero k-Cliquewith probability 1/2, then distinguishing these two cases is hard. As we showlater, this hypothesis is essentially equivalent to the planted version (up to someslight difference between the underlying distributions).

Similarly to Planted Clique, no known approach for Zero-k-Clique seems towork in this average-case scenario, faster than essentially nk, so it is natural tohypothesize that the problem is hard. We leave it as a tantalizing open problemto determine whether the problem is actually hard, either by reducing a popularworst-case hypothesis to it, or by providing a new algorithmic technique.

5 Fine-Grained Key Exchange

Now we will explain a construction for a key exchange using general distribu-tions. We will then specify the properties we need for problems to generate asecure key exchange. We will finally generate a key exchange using the strongZero-k-Clique hypothesis. Sketches for most of proofs of these theorems areprovided here, while full proofs can be found in Appendix C.

23

Before doing this, we will define a class of problems as being Key ExchangeReady (KER).

Definition 22 (Key Exchange Ready (KER)). A problem P is `(n)-KER with gen-erate time G(n), solve time S(n) and lower bound solving time T (n) if

– there is an algorithm which runs in Θ(S(n))) time that determines if an instanceof P of size n has a solution or not,

– the problem is (`(n), δLH)-ACLH where δLH ≤ 134 ,

– is Generalized Splittable with error ≤ 1/(128`(n)) to the problem P ′ and,– P ′ is plantable in time G(n) with error ≤ 1/(128`(n)).– `(n)T (n) ∈ ω

(`(n)G(n) +

√`(n)S(n)

), and

– there exists an n′ such that for all n ≥ n′, `(n) ≥ 214.

5.1 Description of a Weak Fine-Grained Interactive Key Exchange

The high level description of the key exchange is as follows. Alice and Bobeach produce `(n) −

√`(n) instances using Generate(n, 0) and

√`(n) generate

instances with Generate(n, 1). Alice then shuffles the list of `(n) instances so thatthose with solutions are randomly distributed. Bob does the same thing (withhis own private randomness). Call the set of indices that Alice chooses to plantsolutions SA and the set Bob picks SB . The likely size of SA∩SB is 1. The indexSA ∩ SB is the basis for the key.

Alice determines the index SA ∩ SB by brute forcing all problems at indicesSA that Bob published. Bob can brute force all problems at indices SB that Alicepublished and learn the set SA ∩ SB .

If after brute forcing for instances either Alice or Bob find a number of solu-tions not equal to 1 then they communicate this and repeat the procedure (usinginteraction). They only need to repeat a constant number of times.

More formally our key exchange does the following:

Construction 4 (Weak Fine-Grained Interactive Key Exchange) A fine-grainedkey exchange for exhanging a single bit key.

– Setup(1n): output MPK = (n, `(n)) and `(n) > 214.– KeyGen(MPK): Alice and Bob both get parameters (n, `).• Alice generates a random SA ⊂ [`], |SA| =

√`. She generates a list of in-

stances IA = (I1A, . . . , I`A) where for all i ∈ SA, Ii = Generate(n, 1) and for

all i 6∈ SA, IiA = Generate(n, 0) (using Alice’s private randomness). Alicepublishes IA and a random vector v $← 0, 1log `.

• Bob computes IB = (I1B , . . . , I`B) similarly: generating a random SB ⊂ [`] of

size√` and for every instance Ij ∈ IB , if j ∈ SB , Ij = Generate(n, 1) and if

j 6∈ SB , Ij = Generate(n, 0). Bob publishes IB .– Compute shared key: Alice receives IB and Bob receives IA.• Alice computes what she believes is SA ∩ SB : for every i ∈ SA, she brute force

checks if IiB has a solution or not. For each i that does, she records in list LA.

24

• Bob computes what he thinks to be SB ∩ SA: for every j ∈ SB , he checks if IjAhas a solution. For each that does, he records it in LB .

– Check: Alice takes her private list LA: if |LA| 6= 1, Alice publishes that the ex-change failed. Bob does the same thing with his list LB : if |LB | 6= 1, Bob publishesthat the exchange failed. If either Alice or Bob gave or recieved a failure, they bothknow, and go back to the KeyGen step.If no failure occurred, then |LA| = |LB | = 1. Alice interprets the index i ∈ LAas a vector and computes i · v as her key. Bob uses the index in j ∈ LB and alsocomputes j · v. With high probability, i = j and so the keys are the same.

5.2 Correctness and Soundness of the Key Exchange

We want to show that with high probability, once the key exchange succeeds,both Alice and Bob get the same shared index.

Lemma 1. After running construction 4, Alice and Bob agree on a key k with proba-bility at least 1− 1

10,000`e .

Sketch of Proof We notice that the only way Alice and Bob fail to exchangea key is if they both generate a solution accidentally in each other’s sets (thatis Alice generates exactly one accidental solution in SB and Bob in SA), andSA ∩ SB = ∅. All other ‘failures’ are detectable in this interactive case and sim-ply require Alice and Bob to run the protocol again. So, we just bound the prob-ability this happens, and since εplant ≤ 1

100√`, we get the bound 1− 1

10,000`e . Thefull proof can be found in Appendix C.1. ut

We next show that the key-exchange results in gaps in running time andsuccess probability between Alice and Bob and Eve. Then, we will show thatthis scheme can be boosted in a fine-grained way to get larger probability gaps(a higher chance that Bob and Alice exchange a key and lower chance Eve getsit) while preserving the running time gaps.

First, we need to show that the time Alice and Bob take to compute a sharedkey is less (in a fine-grained sense) than the time it takes Eve, given the publictranscript, to figure out the shared key. This includes the number of times weexpect Alice and Bob to need to repeat the process before getting a usable key.

Time for Alice and Bob.

Lemma 2. If a problem P is `(n)-KER with plant time G(n), solve time S(n) andlower bound T (n) when `(n) > 100, then Alice and Bob take expected timeO(`G(n)+√`S(n)) to run the key exchange.

Sketch of Proof It is easy to see that one iteration of the key exchange pro-tocol requires `G(n) time to generate the ` problems, and then

√`S(n) time to

brute-force solve√` instances of P . However, we need to prove that we only it-

erate this key-exchange a constant number of times. This part is a simple appli-cation of the birthday paradox, showing that we expect SA and SB to intersect

25

in exactly one place with constant probability, and then applying the accuracyof our planting functionality (which succeeds with probability 1 − εplant). Thefull proof can be found in Appendix C.2. ut

Time for Eve.

Lemma 3. If a problem P is `(n)-KER with plant time G(n), solve time S(n) andlower bound T (n) when `(n) ≥ 214, then an eavesdropper Eve, when given the tran-script IT , requires Ω(`(n)T (n)) time to solve for the shared key with probability 1

2 +sig(n).

Sketch of Proof This is proved in two steps. First, if Eve can determine theshared key in time PFT`(n)T (n) with advantage δEve, then she can also figureout the index in PFT`(n)T (n) time with probability δEve/4. Second, if Eve cancompute the index with advantage δEve/4, we can use Eve to solve the list-version of P in PFT`(n)T (n) with probability δEve/16, which is a contradictionto the list-hardness of our problem. This first part follows from a fine-grainedGoldreich-Levin hardcore-bit theorem, Theorem 10.

The second part, proving that once Eve has the index, then she can solvean instance of P , uses the fact that P is list-hard, generalized splittable, andplantable. Intuitively, since P is already list hard, we will start with a list ofaverage problem instances (I1, . . . , I`), and our goal will be to have Eve tellus which instance (index) has a solution. We apply the splittable property tothis list to get lists of pairs of problems. For one of these lists of pairs, therewill exist an index where both instances have solutions. These lists of pairs willalmost look like the transcript between Alice and Bob during the key exchange:if I had a solution then there should be one index such that both instances ina pair have a solution. Now, we just need to plant

√` − 1 solutions in the left

instances and√` − 1 on the right, and this will be indistinguishable from a

transcript between Alice and Bob. If Eve can find the index of the pair withsolutions, we can quickly check that she is right (because the instances insidethe list are relatively small), and simply return that index.

The full proof can be found in Appendix C.2. ut

Now, we can put all of these together to get a weak fine-grained key ex-change. We will then boost it to be a strong fine-grained key exchange (see theDefinition 6 for weak versus strong in this setting).

Theorem 5. If a problem P is `(n)-KER with plant time G(n), solve time S(n)and lower bound T (n) when `(n) ≥ 214, then construction 4 is a ((`(n)T (n), α, γ)-FG-KeyExchange, with γ ≤ 1

10,000`(n)e and α ≤ 14 .

Proof. This is a simple combination of the correctness of the protocol, and thefact that an eavesdropper must take more time than the honest parties. We havethat the Pr[bA = bB ] ≥ 1 − 1

10,000`e , implying γ ≤ 110,000`e from Lemma 1. We

have that Alice and Bob take time O(`(n)G(n) +√`(n)S(n)) and Eve must

26

take time Ω(`(n)T (n)) to get an advantage larger than 14 by Lemmas 2 and

3. Because P is KER , `(n)T (n) ∈ ω(`(n)G(n) +

√`(n)S(n)

), implying there

exists δ > 0 so that `(n)G(n) +√`(n)S(n) ∈ O(`(n)T (n)1−δ). So, we have

correctness, efficiency and security. ut

Next, we are going to amplify the security of this key exchange using paral-lel repetition, drawing off of strategies from [24] and [13].

Theorem 6. If a weak (`(n)T (n), α, γ)-FG-KeyExchange exists where γ = O(

1nc

)for some constant c > 0, but α = O(1), then a Strong (`(n)T (n))-FG-KeyExchangealso exists.

Proof. Using techniques from [13], we will phrase breaking this key exchange asan eavesdropper as an honest-verifier two-round parallel repetition game. Theoriginal game as a PFT`(n)T (n) prover P and verifier V . V generates an honesttranscript of the key exchange between Alice and Bob and sends this transcripttoP . Note that the single-bit key sent in this protocol is uniformly distributed.Pwins if P can output the key correctly. Now, because any eavesdropper runningPFT`(n)T (n) only has advantage α of determining the key, the prover P hasprobability at most 1

2 + α of winning this game. Let β = 12 + α. By Theorem

4.1 of [13], if we instead have V generate m parallel repetitions (m independenttranscripts of the key exchange), then the probability that P can find all of thekeys in PFT`(n)T (n) is less than 16

1−β · e−m(1−β2)/256 (which is larger than 32

(1−β) ·e−mc(1−β

2)/256).Let m = 512

1−β2 · log(n), which is sub-polynomial in n because β is at leastconstant. and we get that the probability the prover succeeds in finding all mkeys is at most β′ = O

(1n2

). Now, we need this to work while there is some

error γ. Note that γ is at most 1/nc, so the probability we get an error in anyof the m instances of the key exchange is (1− γ)d·log(n) for some constant d.Asymptotically, this is e−γd log(n) = n−γd. This is where we required γ to be sosmall: because γ = O(1/nc), this probability of failure is o(

√γ), which is still

insignificant.Now, we need to turn this m parallel-repetition back into a key exchange.

We will first do that by employing our fine-grained Goldreich-Levin method:the weak key-exchange will be run m times in parallel and Alice will addition-ally send a uniformly random m-length binary vector, r. The key will be the mkeys, k = (k1, . . . , km) dot-producted with r: k · r. Because m is sub-polynomialin n and the Goldreich-Levin security reduction only requires O(m2) time, k · ris a fine-grained hard-core bit for the transcript. Therefore, an eavesdropperwill have advantage at most 1

2 + insig(n) in determining the shared key. ut

Remark 1. It is not obvious how to amplify correctness and security of a fine-grained key exchange at the same time. If we have a weak (`(n)T (n), α, γ)-FG-KeyExchange,where α = insig(n) but γ = O(1), then we can use a standard repetition error-correcting code to amplify γ. That is, we can run the key exchange log2(n) times

27

to get log2(n) keys (most of which will agree between Alice and Bob), and tosend a message with these keys, send that message log2(n) times. With all butnegligible probability, the decrypted message will agree with the sent messagea majority of the time. Since with very high probability the adversary cannot re-cover any of the keys in PFT`(n)T (n) time, this repetition scheme is still secure.

As shown in Theorem 6, we can also amplify a key exchange that has con-stant correctness and polynomial soundness to one with 1− insig(n) correctnessand polynomial soundness. However, it is unclear how to amplify both at thesame time in a fine-grained manner.

Corollary 1. If a problemP is `(n)-KER, then a Strong (`(n)T (n))-FG-KeyExchangeexists.

Proof. The probability of error in Construction 4 is at most 110,000`(n)e , and `(n) =

nΩ(1) (due to the fact that `(n) comes from the definition of list-hard, Definition12. The probability a PFT`(n)T (n) eavesdropper has of resolving the key is 1

2 +α

where α ≤ 14 . This means our β ≤ 3

4 = O(1). Since the clauses in theorem 6 aremet, a Strong (`(n)T (n))-FG-KeyExchange exists. ut

Finally, using the fact that Alice and Bob do not use each other’s messagesto produce their own in Construction 4, we prove that we can remove all inter-action through repetition and get a T (n)-fine-grained public key cryptosystem.

Lemma 4. Construction 4 does not need interaction.

Proof. There is a constant probability that the construction fails at each round.So, Alice and Bob will simply run the protocol c · log(n) times in parallel andtake the key generated from the first successful exchange. There are two er-rors to keep track of: the chance that Alice and Bob’s SA and SB do not in-tersect in exactly one spot and the probability that an instance was generatedwith a false-positive. Since εplant is so small (O(1/nΩ(1))), we do not need toworry about the false-positives (the chance of generating one is insignificant).So, the error we are concerned with is the chance that none of the c log(n) in-stances of the key exchange end up having SA and SB overlapping in exactly1 entry. This happens with probability at most Pr[no overlap c log(n) times] =(Pr[no overlap once])c logn ≤ O(1/nc), which is also insignificant. Therefore,the chance this key exchange fails is at most 1− ( c log(n)10,000`e +

1nc ) = 1− insig(n).

ut

Theorem 7. If a problem P is `(n)-KER, then a `(n) · T (n)-fine-grained public keycryptosystem exists.

Proof. First, consider an amplified, non-interactive version of Construction 4(combination of Corollary 1 and lemma 4): Alice and Bob run the protocolm times in parallel, where m = 512

1−β2 · log(n), and Alice sends an additionalrandom binary vector r ∈ 0, 1m. The key they agree on is the dot-productbetween r and the vector of keys exchanged. This is a Strong (`(n)T (n))-FG-KeyExchange (see Corollary 1). We now define the three algorithms for a fine-grained public key cryptosystem.

28

– KeyGen(1n): run Bob’s half of the non-interactive protocol m times, gen-erating m collections of c log(n) lists of `(n) instances of P : (I(1,i)B , . . . ,

I(c log(n),i)B )i∈[m]. Each list I(j,i)B has a random set S(j,i)

B ⊂ [`] where instancesIk ∈ I

(j,i)B are from Generate(n, 1) if k ∈ S(j,i)

B and from Generate(n, 0) other-wise. The public key is pk = (I(1,i)B , . . . , I

(c log(n),i)B )i∈[m] and the secret key

is sk = (S(1,i)B , . . . , S

(c log(n),i)B )i∈m.

– Enc(pk,m ∈ 0, 1): run Alice’s half of the protocol m times, solving for theshared key, and then encrypting a message under that key. More formally,generate m lists of c log(n) sets S(j,i)

A ⊂ [`] such that |S(j,i)A | =

√`. Then,

generate lists of instances I(j,i)A for i ∈ 1, . . . ,m and j ∈ 1, . . . , c log(n),

where for every instance I(j,i)k ∈ I(j,i)A , I(j,i)k = Generate(n, 1) if k ∈ S(j,i)

A andotherwise use Generate(n, 0). Now, for each of these m instances, computethe shared key as in Construction the non-interactive version 4 (see lemma4), to get a vector of keys k = (k1, . . . , km). If any of these exchanges fail,output ⊥. Now, compute a random binary vector r ∈ 0, 1m and let key =

k · r. Finally, let the ciphertext c =((I

(1)A , . . . , I

(m)A ), r, key ⊕m

).

– Dec(sk, c): Bob computes the shared key and decrypts the message. For-mally, let c =

((I

(1)A , . . . , I

(m)A ), r, c∗

). Bob computes the shared key just like

Alice, using (k · r)⊕ c∗ = m′. Output the bit m′.

Now we will prove this is indeed a fine-grained public key cryptosystem.First, because the key exchange took Alice and Bob PFT`(n)T (n) time, this schemeis efficient, requiring at most (`(n)T (n))1−δ ·m · (c log n) = O(`(n)T (n)(1−δ)) forconstant δ > 0.

Next, the scheme is correct. This comes directly from the fact that the keyexchange succeeds with probability 1− insig(n).

Lastly, the scheme is secure. This is a simple reduction from the securitygame to an eavesdropper. For sake of contradiction, let Eve be a PFT`(n)T (n)

adversary that can win the CPA-security game as in Definition 7 with proba-bility 1

2 + ε where ε = sig(n). Eve can then directly win the key exchange wi†hthe same advantage because the message the challenger gives to Eve is simplya transcript of a key exchange.

Note that this encryption scheme can be used to send any sub-polynomialnumber of bits, just by running it in sequence sub-polynomially many times.We also want to note that the adversary’s advantage cannot be any less than

1poly(n) since, due to the fine-grained nature of the scheme, the adversary canalways solve the hard problem via guessing.

Corollary 2. Given the strong Zero-k-Clique-RHypothesis over rangeR = `(n)2n2k,there exists a(`(n)T (n), 1/4, insig(n))-FG-KeyExchange, where Alice and Bob can exchange asub-polynomial-sized key in time O

(nk√`(n) + n2`(n)

)for every polynomial `(n) =

nΩ(1).

29

There also exists a `(n)T (n)-fine-grained public-key cryptosystem, where we canencrypt a sub-polynomial sized message in time O

(nk√`(n) + n2`(n)

).

Both of these protocols are optimized when `(n) = n2k−4.

Proof in Appendix C.The Zero-3-Clique hypothesis (the Zero Triangle hypothesis) is generally

better believed than the Zero-k-Clique hypothesis for larger k. Note that evenwith the strong Zero-3-Clique hypothesis we get a key exchange with a gap inthe running times of Alice and Bob vs Eve. In this case, the gap is t = 5/4 = 1.2.

References

1. A. Abboud, V. Vassilevska Williams, and O. Weimann. Consequences of faster align-ment of sequences. In International Colloquium on Automata, Languages, and Program-ming, pages 39–51. Springer, 2014.

2. A. Abboud and V. V. Williams. Popular conjectures imply strong lower boundsfor dynamic problems. In 55th IEEE Annual Symposium on Foundations of ComputerScience, FOCS 2014, Philadelphia, PA, USA, October 18-21, 2014, pages 434–443, 2014.

3. N. Alon, R. Yuster, and U. Zwick. Color coding. In Encyclopedia of Algorithms, pages335–338. 2016.

4. B. Applebaum, B. Barak, and A. Wigderson. Public-key cryptography from differentassumptions. In Proceedings of the Forty-second ACM Symposium on Theory of Comput-ing, STOC ’10, pages 171–180, New York, NY, USA, 2010. ACM.

5. A. Backurs and C. Tzamos. Improving viterbi is hard: Better runtimes imply fasterclique algorithms. CoRR, abs/1607.04229, 2016.

6. M. Ball, A. Rosen, M. Sabin, and P. N. Vasudevan. Average-case fine-grained hard-ness. In Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Comput-ing, STOC 2017, Montreal, QC, Canada, June 19-23, 2017, pages 483–496, 2017.

7. M. Ball, A. Rosen, M. Sabin, and P. N. Vasudevan. Proofs of work from worst-caseassumptions. In Advances in Cryptology - CRYPTO 2018 - 38th Annual InternationalCryptology Conference, Santa Barbara, CA, USA, August 19-23, 2018, Proceedings, PartI, pages 789–819, 2018.

8. B. Barak and M. Mahmoody-Ghidary. Merkle puzzles are optimal - an O(n2)-queryattack on any key exchange from a random oracle. In Advances in Cryptology -CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA,USA, August 16-20, 2009. Proceedings, pages 374–390, 2009.

9. I. Baran, E. D. Demaine, and M. Patrascu. Subquadratic algorithms for 3sum. Algo-rithmica, 50(4):584–596, 2008.

10. M. Bellare, R. Canetti, and H. Krawczyk. Pseudorandom functions revisited: Thecascade construction and its concrete security. In 37th Annual Symposium on Foun-dations of Computer Science, FOCS ’96, Burlington, Vermont, USA, 14-16 October, 1996,pages 514–523, 1996.

11. M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A concrete security treatment ofsymmetric encryption. In 38th Annual Symposium on Foundations of Computer Science,FOCS ’97, Miami Beach, Florida, USA, October 19-22, 1997, pages 394–403, 1997.

12. M. Bellare, R. Guerin, and P. Rogaway. XOR macs: New methods for messageauthentication using finite pseudorandom functions. In Advances in Cryptology -CRYPTO ’95, 15th Annual International Cryptology Conference, Santa Barbara, Califor-nia, USA, August 27-31, 1995, Proceedings, pages 15–28, 1995.

30

13. M. Bellare, R. Impagliazzo, and M. Naor. Does parallel repetition lower the errorin computationally sound protocols? In Proceedings of the 38th Annual Symposium onFoundations of Computer Science, FOCS ’97, pages 374–, Washington, DC, USA, 1997.IEEE Computer Society.

14. M. Bellare, J. Kilian, and P. Rogaway. The security of cipher block chaining. InAdvances in Cryptology - CRYPTO ’94, 14th Annual International Cryptology Conference,Santa Barbara, California, USA, August 21-25, 1994, Proceedings, pages 341–358, 1994.

15. M. Bellare and T. Ristenpart. Simulation without the artificial abort: Simplified proofand improved concrete security for waters’ IBE scheme. In Advances in Cryptology -EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applicationsof Cryptographic Techniques, Cologne, Germany, April 26-30, 2009. Proceedings, pages407–424, 2009.

16. E. Biham, Y. J. Goren, and Y. Ishai. Basing weak public-key cryptography on strongone-way functions. In Theory of Cryptography, Fifth Theory of Cryptography Conference,TCC 2008, New York, USA, March 19-21, 2008., pages 55–72, 2008.

17. K. Bringmann, P. Gawrychowski, S. Mozes, and O. Weimann. Tree edit distancecannot be computed in strongly subcubic time (unless APSP can). In Proceedings ofthe Twenty-Ninth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2018,New Orleans, LA, USA, January 7-10, 2018, pages 1190–1206, 2018.

18. M. L. Carmosino, J. Gao, R. Impagliazzo, I. Mihajlin, R. Paturi, and S. Schneider.Nondeterministic extensions of the strong exponential time hypothesis and conse-quences for non-reducibility. In Proceedings of the 2016 ACM Conference on Innovationsin Theoretical Computer Science, Cambridge, MA, USA, January 14-16, 2016, pages 261–270, 2016.

19. T. M. Chan. More logarithmic-factor speedups for 3sum, (median, +)-convolution,and some geometric 3sum-hard problems. In Proceedings of the Twenty-Ninth AnnualACM-SIAM Symposium on Discrete Algorithms, SODA 2018, New Orleans, LA, USA,January 7-10, 2018, pages 881–897, 2018.

20. B. Chor, E. Kushilevitz, O. Goldreich, and M. Sudan. Private information retrieval.J. ACM, 45(6):965–981, 1998.

21. C. Cooper, A. M. Frieze, K. Mehlhorn, and V. Priebe. Average-case complexity ofshortest-paths problems in the vertex-potential model. Random Struct. Algorithms,16(1):33–46, 2000.

22. A. Degwekar, V. Vaikuntanathan, and P. N. Vasudevan. Fine-grained cryptogra-phy. In Advances in Cryptology - CRYPTO 2016 - 36th Annual International CryptologyConference, Santa Barbara, CA, USA, August 14-18, 2016, Proceedings, Part III, pages533–562, 2016.

23. W. Diffie and M. Hellman. New directions in cryptography. IEEE Trans. Inf. Theor.,22(6):644–654, Sept. 2006.

24. C. Dwork, M. Naor, and O. Reingold. Immunizing encryption schemes from de-cryption errors. In C. Cachin and J. L. Camenisch, editors, Advances in Cryptology -EUROCRYPT 2004, pages 342–360, Berlin, Heidelberg, 2004. Springer Berlin Heidel-berg.

25. A. Gajentaan and M. H. Overmars. On a class of O(n2) problems in computationalgeometry. Comput. Geom., 45(4):140–152, 2012.

26. F. L. Gall. Powers of tensors and fast matrix multiplication. In International Sympo-sium on Symbolic and Algebraic Computation, ISSAC ’14, Kobe, Japan, July 23-25, 2014,pages 296–303, 2014.

27. O. Goldreich and L. A. Levin. A hard-core predicate for all one-way functions. InProceedings of the Twenty-first Annual ACM Symposium on Theory of Computing, STOC’89, pages 25–32, New York, NY, USA, 1989. ACM.

31

28. J. Hartmanis and R. E. Stearns. On the computational complexity of algorithms.Transactions of the American Mathematical Society, 117:285–306, 1965.

29. E. Hazan and R. Krauthgamer. How hard is it to approximate the best nash equilib-rium? SIAM J. Comput., 40(1):79–91, 2011.

30. F. C. Hennie and R. E. Stearns. Two-tape simulation of multitape turing machines.J. ACM, 13(4):533–546, Oct. 1966.

31. R. Impagliazzo. A personal view of average-case complexity. In Proceedings of theTenth Annual Structure in Complexity Theory Conference, Minneapolis, Minnesota, USA,June 19-22, 1995, pages 134–147, 1995.

32. R. Impagliazzo and M. Naor. Efficient cryptographic schemes provably as secure assubset sum. 9, 02 2002.

33. M. Jerrum. Large cliques elude the metropolis process. Random Struct. Algorithms,3(4):347–360, 1992.

34. A. Juels and M. Peinado. Hiding cliques for cryptographic security. Designs, Codesand Cryptography, 20(3):269–280, Jul 2000.

35. D. M. Kane and R. R. Williams. The orthogonal vectors conjecture for branchingprograms and formulas. CoRR, abs/1709.05294, 2017.

36. J. Katz and N. Wang. Efficiency improvements for signature schemes with tightsecurity reductions. In Proceedings of the 10th ACM Conference on Computer and Com-munications Security, CCS 2003, Washington, DC, USA, October 27-30, 2003, pages 155–164, 2003.

37. T. Kopelowitz, S. Pettie, and E. Porat. Higher lower bounds from the 3sum conjec-ture. In Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on DiscreteAlgorithms, SODA 2016, Arlington, VA, USA, January 10-12, 2016, pages 1272–1287,2016.

38. L. Kucera. Expected complexity of graph partitioning problems. Discrete AppliedMathematics, 57(2-3):193–212, 1995.

39. L. A. Levin. On storage capacity of algorithms. Soviet Mathematics, Doklady,14(5):1464–1466, 1973.

40. A. Lincoln, V. V. Williams, and R. R. Williams. Tight hardness for shortest cyclesand paths in sparse graphs. In Proceedings of the Twenty-Ninth Annual ACM-SIAMSymposium on Discrete Algorithms, SODA 2018, New Orleans, LA, USA, January 7-10,2018, pages 1236–1252, 2018.

41. Y. Lindell. Tutorials on the Foundations of Cryptography: Dedicated to Oded Goldreich.Springer Publishing Company, Incorporated, 1st edition, 2017.

42. V. Lyubashevsky, A. Palacio, and G. Segev. Public-key cryptographic primitivesprovably as secure as subset sum. In Proceedings of the 7th International Conference onTheory of Cryptography, TCC’10, pages 382–400, Berlin, Heidelberg, 2010. Springer-Verlag.

43. R. C. Merkle. Secure communications over insecure channels. Commun. ACM,21(4):294–299, Apr. 1978.

44. M. Patrascu. Towards polynomial lower bounds for dynamic problems. In Pro-ceedings of the 42nd ACM Symposium on Theory of Computing, STOC 2010, Cambridge,Massachusetts, USA, 5-8 June 2010, pages 603–610, 2010.

45. Y. Peres, D. Sotnikov, B. Sudakov, and U. Zwick. All-pairs shortest paths in O(n2)time with high probability. J. ACM, 60(4):26:1–26:25, 2013.

46. S. Pettie. Higher lower bounds from the 3sum conjecture. Fine-Grained Complexityand Algorithm Design Workshop at the Simons Institute, 2015.

47. A. A. Razborov and S. Rudich. Natural proofs. In Proceedings of the Twenty-SixthAnnual ACM Symposium on Theory of Computing, 23-25 May 1994, Montreal, Quebec,Canada, pages 204–213, 1994.

32

48. O. Regev. On lattices, learning with errors, random linear codes, and cryptography.In Proceedings of the Thirty-seventh Annual ACM Symposium on Theory of Computing,STOC ’05, pages 84–93, New York, NY, USA, 2005. ACM.

49. R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signaturesand public-key cryptosystems. Commun. ACM, 21(2):120–126, Feb. 1978.

50. A. Russell and H. Wang. How to fool an unbounded adversary with a short key.In Proceedings of the International Conference on the Theory and Applications of Crypto-graphic Techniques: Advances in Cryptology, EUROCRYPT ’02, pages 133–148, London,UK, UK, 2002. Springer-Verlag.

51. A. Shamir. How to share a secret. Commun. ACM, 22(11):612–613, 1979.52. P. W. Shor. Algorithms for quantum computation: Discrete logarithms and factoring.

In Proceedings of the 35th Annual Symposium on Foundations of Computer Science, SFCS’94, pages 124–134, Washington, DC, USA, 1994. IEEE Computer Society.

53. G. S. Tseitin. Seminar on math, logic. 1956.54. V. Vassilevska Williams. On some fine-grained questions in algorithms and com-

plexity. In Proceedings of the International Congress of Mathematicians, page to appear,2018.

55. V. V. Williams. Multiplying matrices faster than coppersmith-winograd. In Proceed-ings of the 44th Symposium on Theory of Computing Conference, STOC 2012, New York,NY, USA, May 19 - 22, 2012, pages 887–898, 2012.

56. V. V. Williams and R. Williams. Subcubic equivalences between path, matrix and tri-angle problems. In 51th Annual IEEE Symposium on Foundations of Computer Science,FOCS 2010, October 23-26, 2010, Las Vegas, Nevada, USA, pages 645–654, 2010.

57. V. V. Williams and R. Williams. Finding, minimizing, and counting weighted sub-graphs. SIAM J. Comput., 42(3):831–854, 2013.

Supplementary Materials

A Fine-Grained One-Way Functions

In this section, we give a construction of fine-grained OWFs (FGOWF) based onplantable T (n)-ACSH problems. We first show that even though the probabil-ity of inversion may be constant (we call this “medium” fine-grained one-way),we can do some standard boosting in the same way weak OWFs can be trans-formed into strong OWFs in the traditional sense. Then, given such a plantableproblem, we will prove that Generate(n, 1) is a medium T (n)-FGOWF. Then,from this medium FGOWF, we can compile a strong FGOWF using this boost-ing trick. Then, since Zero-k-Clique is plantable (see Theorem 12), this impliesthat assuming Zero-k-Clique is hard yields fine-grained OWFs.

Finally, we discuss the possibility of fine-grained hardcore bits and pseu-dorandom generators. It turns out that the standard Goldreich-Levin [27] ap-proach to creating hardcore bits works in a similar fashion here, but requiressome finessing; it will not work for all fine-grained OWFs.

We will be using O(·) to suppress sub-polynomial factors of n (as opposedto only lg(n) factors).

33

A.1 Weak and Strong OWFs in the Fine-Grained Setting

Traditional cryptography has notions of weak and strong OWFs. Weak OWFscan be inverted most of the time, but a polynomial-fraction of the time, theycannot be. These weak OWFs can be compiled into strong OWFs (showing thatweak OWFs imply strong OWFs), where there is a negligible chance that theresulting strong OWF is invertible over the choice of inputs.

Here we will briefly define “medium” T (n)-FGOWFs, and show how theycan imply a “strong” T (n)-FGOWF, where “strong” refers to definition 4

Definition 23. A function f is a medium T (n)-FGOWF if there exists a sub-polynomialfunction Q(n) such that for all PFTT (n) adversaries A,

Prx

$←0,1n

[A(f(x)) ∈ f−1(f(x))

]≤ 1− 1

Q(n).

Claim. Medium T (n)-FGOWFs imply strong T (n)-FGOWFs for any polyno-mial T (n) that is at least linear.

Proof. The structure of this proof will follow Yao’s original argument augment-ing weak OWFs to strong ones. Intuitively, we are able to use this argumentbecause sub-polynomial functions compose well with each other.

Assume for the sake of contradiction that no strong T (n)-FGOWF exists.Then, there exists some function p′(n) such that p′(n) is sub-polynomial and forall functions f computable in T (n)1−ε time there exists a PFTT (n) adversarythat can invert the function f with probability 1− 1

p′(n) .Let f be a medium T (n)-FGOWF, where the probability any PFTT (n) ad-

versary inverts it is 1 − 1Q(n) . The basic idea will be to produce g that is just a

concatenation of many fs, just as in the traditional cryptographic case.For any positive-integer function c(n), let g(x1|| . . . ||xc(n)) = f(x1)|| . . . ||f(xc(n)),

where || denotes concatenation. Let c(n) = 4 (Q(n)r(n))2 (or the ceiling of

4 (Q(n)r(n))2, if not an integer). Where r(n) is a subpolynomial function such

that r(n) ≥ p′(c(n) · n). Note that p′(n) is subpolynomial, and that as a resultsome such function r(n) exists. Specifically, setting r(n) = p′(n2) satisfies bothcriteria.

Now note that c(n) · n = O(n), and so T (c(n) · n) = O(T (n)). Furthermore,g is a T (c(n) · n) = O(T (n))-FGOWF since c(n) is subpolynomial.

Now, for sake of contradiction, let A be a PFTT (n) such that there exists asubpolynomial function p′ where

Pr[A(g(x1|| . . . ||xc)) ∈ g−1(g(x1|| . . . ||xc))

]≥ 1

p′(c(n) · n).

Let p(n) = p′(c(n) ·n). Because c(n) ·n = O(n2) and p′(n) is sub-polynomial,p′(c(n) · n) = p(n) is also sub-polynomial. Therefore,

Pr[A(g(x1|| . . . ||xc)) ∈ g−1(g(x1|| . . . ||xc))

]≥ 1

p(n).

34

We will define a PFTT (n) function A0 that makes a single call toA: on inputy = f(x)

1. Choose i $← [c(n)].2. Let zi = y

3. For all j ∈ [c(n)], j 6= i, xj$← 0, 1n and zj = f(xj).

4. Run A on (z1, . . . , zc(n)) to get output (x1, . . . , xc(n)) if A succeeds.5. If A succeeded, output xi.

Because all operations in A0 are either calling A (once) or take time O(n ·c(n)),4 A0 is a PFTT (n) algorithm. Now, we will let B be an algorithm callingA0 d(n) = 4c(n)2(n)p(n)Q(n) times, returning a valid inversion of f(x) if Asucceeded at least once.

We will call x ∈ 0, 1n ’good’ if A0 inverts it with probability at least1

2c2(n)p(n) ; x is ’bad’ otherwise. Notice that if x is good, then B, which runs Amany times, succeeds with high probability:

Pr [B(f(x)) fails|x is good] ≤(1− 1

2c2(n)p(n)

)d(n)∼ e−2Q(n) <

1

2Q(n).

We will show that there are at least 2n(1− 12p(n) ) good elements.

Claim. There are at least 2n(1− 12p(n) ) good elements.

Proof. For a contradiction, assume there are at least 2n( 12p(n) ) bad elements.

We will end up contradicting the inversion probability of A (which is at least1/p(n)). For notation, let x = (x1, . . . , xc(n)) ∈ 0, 1n·c(n), and x will be chosenuniformly at random over the input space.

Prx[A(z = g(x)) succeeds] = Pr[A(z) succeeds ∧ ∃bad xj ]

+ Pr [A(z) succeeds ∧ xj good ∀j ∈ [c(n)]]

Now, for all j ∈ [c(n)],

Prx[A(z) succeeds ∧ xj is bad] ≤ Pr

x[A(z) succeeds|xj is bad]

≤ c(n) Prx[A0(f(xj)) succeeds|xj is bad]

≤ c(n)

2c2(n)p(n)=

1

2c(n)p(n)

So, if we just union bound over all j, we get

Prx[A(z) succeeds∧some xj are bad] ≤

c(n)∑j=1

Prx[A0(f(xj)) succeeds∧xj is bad] ≤ 1

2p(n).

4 It does not make much sense for T (n) to be sublinear for our contexts

35

And one more quick upper bound yields

Pr[A(z) succeeds ∧ all xj are good] ≤ Prx[all xj good]

<

(1− 1

2p(n)

)c(n)≤ e−2(Q(n)r(n))2/p(n)

≤ e−2(Q(n))2·p(n) <1

2p(n).

Finally, this yields the contradiction to the claim that there are at least 2n( 12p(n) )

bad elements:

Prx[A(z) succeeds] <

1

p(n).

ut

Note that p(n) ≥ Q(n) because 1/Q(n) is the maximum probability of in-verting a single copy of f(·), where as 1/p(n) is assumed (for contradiction) tobe the probability that a function inverts c(n) copies of f(·) simultaneously. So,there are at most 2n( 1

2Q(n) ) bad elements.Now that we know there is a high probability that we hit a good x, we can

finish the rest of this proof.

Prx[B(f(x)) fails] = Pr[B(f(x)) fails|x is good] Pr

x[x is good]

+ Pr[B(f(x)) fails|x is bad] Prx[x is bad]

≤ Pr[B(f(x)) fails|x is good] Prx[x is good] + Pr

x[x is bad]

≤ 1

2Q(n)

(1− 1

2Q(n)

)+

1

2Q(n)<

1

Q(n)

Thus, the chance that B actually has of inverting f is strictly greater than 1 −1

Q(n) , contradicting the claim that f was medium-hard with respect toQ(n). ut

Weaker Fine-Grained OWFs. Now, because we are in the fine-grained setting, wecan talk about gaps. There is a notion of weak-OWFs in cryptography where wecan say if there exists any polynomial such that we can invert with probability1 − 1/poly, we can construct strong OWFs. We want a similar notion for fine-grained OWFs. Here we can’t just choose any polynomial — we have to choosea polynomial that respects the gap.

Formally, for an T (n)-FGOWF f that has PFTT (n) adversaries inverting itwith probability 1 − 1/P (n) for some P (n), we can get that a PFTT (n) adver-sary can invert f with probability (1− 1/P (n))c(n). Now, as long as there existsδ′ such that T (n)1−δP (n) = T (n)1−δ

′, there is still a gap (δ′ < δ) even if we

compute f P (n) times to evaluate f . Therefore, we are able to get a strong fine-grained OWF from a weak one, as long as it’s not too weak.

36

A.2 Building Fine-Grained OWFs from Plantable Problems

Here we show that one can generate fine-grained one way functions from plantableproblems. Recall the definition of Plantable states that there exists an algorithmGenerate(n, b) where when b = 0, an instance of the problem without a solutionis generated, and when b = 1, an instance of a problem with one solution is gen-erated with probability at least 1 − ε. This probabilistic element, ε, is actually abound on the total variation distance of the distributions we are actually aimingto sample from: Generate(n, 0) and Generate(n, 1) have total variation distanceat most ε from D0(P, n) and D1(P, n) respectively.

Theorem 8. If there exists a Plantable T (n)-ACSH problem where G(n) is PFTT (n)

with error some constant ε < 99/200, then T (n)-FGOWFs exist. 5

Proof. Let P be a Plantable T (n)-ACSH problem where G(n) = T (n)1−δ forsome constant δ > 0. So, the (randomized) algorithm Generate(n, 1) is PFTT (n)

and outputs an instance I that has at least one solution — we write this asGenerate(n, 1; r) when explicitly noting which randomness was used.

We want to show that being able to invert Generate(n, 1; r), over the distribu-tion from r, in a fine-grained sense, is as hard as solving the ACSH problem P .Let ε be the upper bound on the total variation distance between Generate(n, 1)and D1(P, n), as per Definition 11.

For sake of contradiction, assume that no medium T (n)-FGOWF exist. So, wecan invert Generate(n, 1) with any probability 1− 1

Q(n) for any sub-polynomialQ(n) in time T (n)1−δ for some constant δ > 0. Let A be a PFTT (n) algorithmthat inverts Generate(n, 1) with probability γ > 1 − 1

log(n) (note that log(n) issignificant). We will show that this violates the assumption that P is a T (n)-ACSH problem.

We now construct a PFTT (n) algorithm B that produces a witness for anACSH instance from D1 with probability than 1/100, violating the hardnessassumption on P .

– Given I from distribution D1, B gives I to A.– A outputs r.– If Generate(n, 1; r) == (wit(I), I), output the witness wit(I). Otherwise,

output failure symbol ⊥.

We will now compute the probability that B successfully produces a witnessfor an instance drawn fromD1: PrI∼D[B(I) == wit(I)]. Recall that Generate(n, 1)is ε-close to D1 in TVD. So, let pG1

be the pdf of Generate(n, 1) and pD1be

the pdf of D1. Let I be the set of all instances of the problem. Let S = I ∈Im(Generate(n, 1)) : Generate(n, 1;A(I)) = I be the set of instances producedby Generate thatA can successfully invert. Note that TVD(D1,Generate(n, 1)) ≤

5 We thank Chris Brzuska, Ameet Gadekar, Pihla Karanko and Luisa Zeppelin forpointing out a mistake in the original version of this proof. We amended the theo-rem statement by changing ACIHto ACSH, adding the word ’constant’, and fixingthe proof accordingly.

37

ε means∑I∈I |pD(I) − pG(I)| ≤ 2ε by the definition of TVD. This leads to the

following inequality:

2ε ≥∑I∈I|pD1(I)− pG1(I)|

≥∑I∈S|pD1

(I)− pG1(I)|

≥∑I∈S

[pD1(I)]−

∑I∈S

[pG1(I)] .

This implies∑I∈S [pG1

(I)] ≥∑I∈S [pD1

(I)]−2ε, and therefore PrI∼D1[B(I) ==

wit(I)] ≥ γ − 2ε.Now because ε is a constant less than 99/200, ε < 99/200 − δ for a constant

δ. This means that

γ − 2ε > 1− 1

log(n)− 2

(99

200− δ)

=1

100+ 2δ − 1

log(n)

>1

100

So, assuming P is T (n)-ACSH, i.e. no adversary has better than a 1/100chance of being able to invert Generate(n, 1; r), then Generate is a medium T (n)-FGOWF. By claim A.1, this implies strong T (n)-FGOWFs exist. ut

This proof also works for Plantable ACIH problems if the support of Generate(n, 1)is disjoint from the support of D0: e.g. Generate(n, 1) produces an instance thathas at least one solution. For this case, we need the error to be some constantε < 1/3. The proof follows a similar structure to the one above, except we useB to distinguish between D0 and D1 instead of producing a witness.

Theorem 9. If there exists a Plantable T (n)-ACIH problem where G(n) is PFTT (n)

with error some constant ε < 1/3 and the support of Generate(n, 1) is disjoint fromthe support of D0, then T (n)-FGOWFs exist.

Proof. This proof will follow a similar strategy to the proof of Theorem 8. We letP be a Plantable T (n)-ACIH problem where G(n) is PFTT (n) with error someconstant ε < 1/3. This time we have the additional requirement that D0 andGenerate(n, 1) are disjoint in their supports; this requirement was already truefor Plantable ACIH problems since Generate(n, 1) also needed to produce a wit-ness (implying that the instance could not have been in the support of D0).

Next, assume that no medium T (n)-FGOWF exist, again implying that wecan invert Generate(n, 1) with any probability 1− 1

Q(n) for any sub-polynomialQ(n) in time T (n)1−δ for some constant δ > 0. We will let Q(n) = log(n) andA0 be a PFTT (n) algorithm that inverts Generate(n, 1) with probability γ > 1 −

38

1log(n) . We will now construct an algorithm B that usesA to distinguish betweenD0 and D1 with probability at least 2/3.

Let B do the following:

– Given I from distribution D, B gives I to A.

– A outputs r

– If Generate(n, 1; r) == I , output 1. Otherwise output 0.

Recall that D is just sampling with D0 with probability 1/2, and otherwisesamples from D1. For the sake of brevity let the notation I ∈ D0 and I ∈ D1

convey that I is in the support of D0 and the support of D1 respectively. Whencomputing the probability that B distinguishes betweenD0 andD1 when givenan input from D, we have

PrI∼D

[B(I) distinguishes D0 from D1] = PrI∼D1

[B(I) = 1] · PrI∼D

[I ∈ D1]

+ PrI∼D0

[B(I) = 0] · PrI∼D

[I ∈ D0]

=1

2PrI∼D1

[B(I) = 1] +1

2PrI∼D0

[B(I) = 0].

First, we note that PrI∼D0 [B(I) = 0] = 1 because Generate(n, 1; r) is guaranteedto produce a witness for all randomness r. This means that any I sampled fromD0 is not in the image of Generate(n, 1), and therefore,A cannot produce a validinverse.

Then, we use the fact thatD1 is close in total variation distance to Generate(n, 1)to show that PrI∼D1

[B = 1] ≥ γ−2ε. Let pG1be the pdf of Generate(n, 1) and pD1

be the pdf of D1. Let I be the set of all instances of the problem. Let S = I ∈Im(Generate(n, 1)) : Generate(n, 1;A(I)) = I be the set of instances producedby Generate thatA can successfully invert. Recall that TVD(D1,Generate(n, 1)) ≤ε means

∑I∈I |pD(I)− pG(I)| ≤ 2ε by the definition of TVD.

2ε ≥∑I∈I|pD1(I)− pG1(I)|

≥∑I∈S|pD1

(I)− pG1(I)|

≥∑I∈S

[pD1(I)]−

∑I∈S

[pG1(I)] .

This implies∑I∈S [pG1

(I)] ≥∑I∈S [pD1

(I)] − 2ε, and therefore PrI∼D1[B =

1] ≥ γ − 2ε. Notice that since ε is constant and less than 13 , 1

3 − α = ε for some

39

constant α > 0. Putting this together, we have that

PrI∼D

[B(I) distinguishes D0 from D1] ≥1

2· (γ − 2ε) +

1

2

=γ

2− ε+ 1

2

= 1− 1

2 log(n)− ε

≥ 1− 1

2 log(n)−(1

3− α

)>

2

3.

Note that 12 log(n) is less (asymptotically) that any constant α. Specifically, there

is a constant n0 depending on α such that for all n > n0, α > 1/2 log(n). Thus,the sum of these terms is (asymptotically) greater than 2

3 . ut

Note that k-Sum-R and Zero-k-Clique-R are plantable with error less than1/3 the whenR > 6nk by Theorem 12 and Theorem 11, these are both plantableand therefore can be used to build these fine-grained OWFs.

A.3 Fine-Grained Hardcore Bits and Pseudorandom Generators

One way functions serve as the building block for a lot of symmetric encryption,and are (usually) implied by any other cryptographic primitive, from collision-resistant hash functions to symmetric-key encryption, to any flavor of publickey encryption, and so on. The next step to building more cryptographic prim-itives with one-way functions is to see if we can use them to construct pseudo-random generators. While we do not yet have a construction of a fine-grainedpseudorandom generator that can generate some sub-polynomial many pseu-dorandom bits6, we take the first steps, showing how to get hardcore bits.

Definition 24. A function b is a fine-grained hardcore (FGHC) predicate for a T (n)-FGOWF if for all PFTT (n) adversaries A,

Prx

$←0,1n[A(f(x)) = b(x)] ≤ 1

2+ insig(n).

Recall that in traditional cryptography, any OWF implies the existence ofanother OWF with a hardcore bit with the Goldreich-Levin (GL) construction[27]. The bad news: the GL construction required a security reduction withO(n)evaluations of the one-way function. Given how we define problems to be T (n)-ACSH hard, this security reduction would not be PFTT (n).

6 Note that due to the nature of being fine-grained, we cannot generate polynomially-many bits without additional assumptions

40

Theorem 10 (Fine-Grained Goldreich-Levin). Let f be an T (n)-FG-OWF actingon strings (x, y), where |x| = n and |y| = Q(n) for some subpolynomial Q, andassume there exists a PFTT (n) algorithm L such that

Pr[L(f(x, y), y) ∈ f−1(f(x, y))] ≥ sig(n).

Then, the function f ′ : (x, y, r) 7→ f(x, y)||r where |r| = |y| has the hardcore bit y · r.

Proof. Here we just trace through the GL reduction and show that as long as |y|is sub-polynomial, the reduction will go through.

First, the size of y, Q(n), cannot be any subpolynomial, it must be largeenough so that it is as hard to guess y as it is to invert f (because guessing yyields a significant chance of inverting f ). If f is T (n)-hard to invert, then thetime it takes to randomly guess bits, 2Q(n), must be at least T (n). Since T (n) isat least linear, we can assume Q(n) ≥ log(n).

For a contradiction, assume that a PFTT (n) adversary A has a significantadvantage ε in determining r ·y when given f(x, y), r. We will show this impliesB, a PFTT (n) algorithm using A, can invert f with significant probability.B behaves as follows with parameter m = 2Q(n)/ε on input x′ = f(x, y):

– For every i ∈ [Q(n)]:

1. Choose log(m) pairs (b1, r1), . . . , (blog(m), rlog(m))$← 0, 1 × 0, 1Q(n).

2. For every I in the powerset of [log(m)], let b′I =∑j∈I bj mod 2.

3. For every I in the powerset of [log(m)], let rI =∑j∈I rj mod 2.

4. For every I in the powerset of [log(m)],

• Let sI ← ei ⊕ rI where ei is the ith standard basis vector (ei is allzeros except for one 1 in the ith index).• Let gI ← b′I ⊕A(x′||sI)

5. Let zi = the Majority bit over all 2log(m) bits gI .

– Output z = z1, . . . , zQ(n).

First, consider the set S =(x, y)|Prr[A(f(x, y)||r) = r · y] ≥ 1

2 + ε2

. A quick

calculation yields |S| > ε · 2n−1.So, assume that our input (x, y) ∈ S. Now, assume that every pair we chose

in step 1 has the property bi = ri · y (we correctly guessed the bit in question).This event occurs with probability 1/m.

Next, notice that each pair of sI , and sJ (I 6= J) are independent, and so thewhole set is pairwise independent. So, if (x, y) ∈ S,Awill return the correct bitgiven f(x, y)||rI at least an ε/2-fraction of the time for independent r’s. Becauseof the pairwise independence, a Chebyshev bound yieldsAwill return the cor-rect bit a majority of the time after the m queries (so Majority(gI) outputs thecorrect bit yi) with probability at least 1− 1

m(ε/2)2 .

41

Finally, we put all of these pieces together to get

Pr[B(f(x, y)) = y] ≥ Pr[B(f(x, y)) = y|(x, y) ∈ S] · ε2

=ε

2(1− Pr[∃i s.t. yi 6= zi|(x, y) ∈ S])

≥ ε

2(1−Q(n) Pr[yi 6= zi|(x, y) ∈ S])

≥ ε

2

(1−Q(n) Pr[yi 6= zi|(x, y) ∈ S ∧ guessed all bi correctly] · 1

m

)≥ ε

2

(1− Q(n)

m· 1

m(ε/2)2

)=ε

2− 4Q(n)

m2ε

Recall we set m = 2Q(n)/ε, and since ε is significant and Q is subpolyno-mial,m is also subpolynomial. Importantly, becauseB runs inO(Q(n)·mT (n)1−δ),B is PFTT (n).

Therefore, the probability that B succeeds in finding yi (and hence invertingf(x, y) with significant probability), with probability ε

2 −4Q(n)ε4Q2(n) ≥

ε2 −

4εQ(n) .

Recall that Q(n) is at least linear in n, and so we can assume Q(n) > 16. Thisimplies the probability B succeeds is ε

4 .Because ε is significant, B breaks the fine-grained one-wayness of f . This is

a contradiction. Therefore, ε must be insignificant. ut

Hardcore bits from k-Sum and Zero-k-Clique For both of these problems,planting a solution is exactly choosing some number of values (k for k-Sum,and the edge weights of a k-clique for Zero-k-Clique) and changing one of themso that the values now give a solution.

Corollary 3. Assuming either the Weak k-Sum hypothesis or weak Zero-k-Clique hy-pothesis, there exist FGOWFs with fine-grained hardcore bits.

Proof. This is straightforward due to the nature of planting for both of these hy-potheses. Informally, planting for these problems is choosing a location withinthe given instance to put a solution. If an adversary learns where that solutionis supposed to be, generating an instance without that specific solution is easy.

First, let’s prove this for k-Sum. The reason k-Sum is plantable is becauseGenerate(n, 1) chooses k indices at random in the k-Sum instance, and thenchanges the value one of them to make those k instances form a solution thek-Sum. This randomness requires specifying k instances out of kn, and an edge-weight. Let y be the k log(n) bits required to describe the k locations of the so-lution; y is part of the total randomness r used in Generate(n, 1). Without loss ofgenerality, we can write r = y||r′. Let f ′(y||r′, s) = Generate(n, 1; y||r′)||s. Since|y| is sub-polynomial, by Theorem 10, the bit y · s is hardcore for f ′.

Now, let’s make the same argument for Zero-k-Clique. As before, Generate(n, 1; r)can be written as Generate(n, 1; y||r′) where y is the location of the zero k-clique

42

generated. This location is just k · log(n) bits; one coordinate from n for each ofthe k partitions in the graph. Therefore, we can define f ′(y||r′, s) = Generate(n, 1; y||r′)||s,which, by Theorem 10, has the hardcore bit y · s. ut

B Properties of k-Sum and Zero-k-Clique Hypotheses

In this section, we will prove the properties that k-Sum and Zero-k-Clique havethat will make them useful in constructing fine-grained OWFs and our fine-grained key exchange.

B.1 k-Sum is Plantable from a Weak Hypothesis

Here we will show that by assuming the Weak k-Sum hypothesis (see defini-tion 18), we get that k-Sum is plantable and n2+δ-ACIH. The proof is relativelystraightforward: just show that planting a solution in a random k-Sum-R in-stance is easy while making sure that the distributions are close to what youexpect.

Theorem 11. Assuming the weak k-Sum-R hypothesis, k-Sum-R is plantable witherror ≤ 2nk/R in O(n) time.

Proof. First, we will define Generate(n, b):

– b = 0: choose all kn entries uniformly at random from [0, R−1], taking timeO(n).

– b = 1: choose all kn entries uniformly at random from [0, R−1], then choosevalues v1, . . . , vk, each vi at random from partition Pi, and choose i $← [k].Set vi = −

∑j 6=i vj mod R. This takes time O(n).

We need to show that Generate(n, 0) is ε-close to D0 and Generate(n, 1) isε-close to D1.

First, we note that Generate(n, 0) has the following property: PrI∼Generate(n,0)[I =I ′|I has no solutions] = PrI∼D0

[I = I ′]. This is because Generate(n, 0) sam-ples uniformly over the support of D0. So, the total variation distance betweenGenerate(n, 0) and D0 is the probability Generate(n, 0) samples outside of thesupport ofD0, that is, the probability Generate(n, 0) samples an I with a value 1or greater. Let TVD denote Total Variation Distance between two distributions.Now, a union bound gives us

TVD(Generate(n, 0), D0) = PrI∼Generate(n,0)

[I has at least 1 solution]

≤∑

all nk sums s ∈ [n]kPr

I∼Generate(n,0)[s is a k-Sum]

=nk

R.

43

Now, to show that Generate(n, 1) is ε-close to D1, we will use the fact thattotal-variation distance (TVD) is a metric and the triangle inequality. Let Generate(n, 0)+Plant and D0+ Plant denote sampling from the first distribution and planting ak-Sum solution at random (so Generate(n, 0)+ Plant = Generate(n, 1)). We havethat

TVD(Generate(n, 1), D1) ≤ TVD(Generate(n, 0) + Plant, D0 + Plant)+ TVD(D0 + Plant, D1).

The distance Generate(n, 0)+ Plant from D0+ Plant is equal to the distancefrom Generate(n, 0) and D0, since the planting does not change between dis-tributions. As previously shown, this distance is at most n

k

R . The distance fromD0+ Plant and D1 is just the chance that we introduce more than one cliqueby planting. We are only changing one value in the D0 instance, vi. There arenk−1 − 1 ≤ nk−1 possible sums involving vi, so the chance that we accidentallyintroduce an unintended k-Sum solution is at most n

k−1

R . Therefore,

TVD(Generate(n, 1), D1) ≤nk

R+nk−1

R<

2nk

R

ut

Note that when R > 6nk, Generate(n, 1) has total variation distance < 1/3from D1(k−SUM−R,n).

B.2 Zero-k-Clique is also Plantable from Weak or Strong Hypotheses

The proof in this section mirrors of the proof that k-Sum-R is plantable. Notethat the size of a k-Clique instance is O(n2), and so the fact that this requiresO(n2) time is just that it is linear in the input size. Here we will just list whatthe Generate functionality is:

– Generate(n, 0) outputs a complete k-partite graph with n nodes in each par-tition, and edge weights drawn uniformly from ZR. This takes O(n2) time.

– Generate(n, 1) starts with Generate(n, 0), and then plants a clique by choos-ing a node from each partition, v1 ∈ P1, . . . , vk ∈ Pk, choosing an i 6= j

$←[k], and setting the weightw(vi, vj) = −

∑(i′,j′) 6=(i,j) w(vi′ , vj′) mod R. This

also takes O(n2) time.If assuming the strong hypothesis (search problem), we can also output awitness, (v1, . . . , vk), of size O(log n).

Unfortunately for it seems difficult to show that k-Sum is average-case list-hard or splittable. However, we will show that if we assume that Zero-k-Clique isonly search hard (a strictly weaker assumption than being indistinguishablyhard), we can get the plantable, list-hard, and splittable properties — the caveatis that we need to assume that Zero-k-Clique requires Ω(nk) time to solve (notjust super-linear in time).

44

Before proving the theorem, we need a couple of helper lemmas to charac-terize the total variation distance, etc. These lemmas will be useful later on aswell.

Lemma 5. The distribution Dzkc0 [R,n] has total variation distance ≤ nk/R from the

distribution of instances drawn from Generate(n, 0).

Proof. Dzkc0 [R,n] is uniform over all instances of size n where there are no solu-

tions. Generate(n, 0) is uniform over all instances of size n.Let D be the distribution of instances in Generate(n, 0) which are in the sup-

port of Dzkc0 [R,n]. Because both Generate(n, 0) and Dzkc

0 [R,n] are uniform overthe support of Dzkc

0 [R,n], D = Dzkc0 [R,n].

So the total variation distance between Dzkc0 [R,n] and Generate(n, 0) is just

PrI∼Generate(n,0)[I 6∈ the support of Dzkc0 [R,n]].

The expected number of zero k-cliques is nk/R, every set of k nodes has achance of 1/R of being a zero k-clique. Thus, the probability that an instancehas a non-zero number of solutions is ≤ nk/R. So, the total variation distanceis ≤ nk/R.

Lemma 6. The distributionDzkc1 [R,n] has total variation distance≤ nk/R+nk−2/R

from the distribution of Generate(n, 1).

Proof. We want to first show that Generate(n, 1) is uniform over the supportof Dzkc

1 [R,n]. Consider an instance I in the support of Dzkc1 [R,n]. Let S(I) =

a1, . . . , ak be the set of k nodes in which there is a zero k-clique.PrI′∼Generate(n,1)[I ′ =I] is given by the chance that

– the nodes chosen in I ′ (a′1, . . . , a′k) to plant a clique are the same as those inS(I),

– the edges in the clique have the same weights in I ′ and I and,– all edges outside the clique have the same weight in I ′ and I .

PrI′∼Generate(n,1)[I′ = I] =

(n−k

) (R−(

k2)−1

)(R−(

k2)(n

2−1)).

This is the same probability for all instances I in the support of Dzkc1 [R,n].

So, we need only bound the probability

PrI∼Generate(n,1)[I 6∈ the support of Dzkc1 [R,n]].

By Lemma 5 the initial process of choosing edges the probability of produc-ing a clique is ≤ nk/R. We then change one edge’s weight, this introduces aclique. It introduces an expected number of additional cliques ≤ nk−2/R (thisis the number of cliques it participates in). Thus, we can bound the probabilityof more than one clique by ≤ nk/R+ nk−2/R.

Theorem 12. Assuming the weak Zero-k-Clique hypothesis (ACIH) over range R,Zero-k-Clique is (O(n2), 2nk/R)-Plantable.Assuming the strong Zero-k-Clique hypothesis (ACSH) over rangeR, Zero-k-Clique isalso (O(n2), 2nk/R)-Plantable.

45

Proof. This proof simply combines the two previous lemmas: Lemma 5 andLemma 6.

Generate(n, 0) has total variation distance nk/R from Dzkc0 [R,n] by Lemma

5, and Generate(n, 1) has total variation distance nk/R+nk−2/R < 2nk/R fromDzkc

1 [R,n] by Lemma 6. So, in both cases the error is bounded above by 2nk/R.Finally note that Generate(n, 1) also can output the planted solution, the

clique it chose to set to 0, and so can output a witness.

B.3 Zero-k-Clique is Plantable, Average Case List-Hard and, Splittablefrom the Strong Zero-k-Clique Hypothesis

Here we will focus on the Strong Zero-k-Clique assumption, see Definition 20.Recall that this is the search version of the problem: given a graph with weightson its edges drawn uniformly from the k-partite graphs with exactly one zerok-clique, it is difficult to find the clique in time less than O(nk).

We already proved that Zero-k-Clique was Plantable in Theorem 11. So, nowwe will focus on the other two properties we want: list-hardness and splittabil-ity. These will give us the properties we need for our key exchange.

Zero-k-Clique is Average Case List-Hard We present the proof that Zero-k-Clique is average case list-hard.

The intuition of the proof is as follows. There is an efficient worst case self-reduction for the Zero-k-Clique problem. This self-reduction results in `′(n)k

subproblems of size n/`′(n). One can choose `′(n) of these instances such thatthey are generated from non-overlapping parts of the original instance. Theywill then look uniformly randomly generated.

Now we will have generated many, (`′(n))k, of these list versions of theZero-k-Clique problem, where only one of them has the unique solution. Weshow that the problem is Average Case List-Hard by demonstrating that we canmake many independent calls to the algorithm despite correlations between theinstances called. Specifically, we only care about the response on one of theseinstances, so as long as that instance is random then we can solve the originalproblem.

Theorem 13. Given the strong Zero-k-Clique-R Hypothesis , Zero-k-Clique is Aver-age Case List-Hard with list length `(n) for any `(n) = nΩ(1).

Proof. Let ` = `(n) for the sake of notation. I ∼ D1(Zero-k-Clique, ` · n) withk partitions, P1, . . . , Pk of ` · n nodes each and with edge weights generateduniformly at random from ZR.

Randomly partition each Pi into ` sets P 1i , . . . , P

`i where each set contains

n nodes. Now, note that if we look for a solution in all `k instances formedby taking every possible choice of P i11 , P

i22 , . . . , P

ikk , this takes time O((` · n)k),

which is how long the original size `n problem takes to solve.Sadly, not all `k instances are independent. We want to generate sets of inde-

pendent instances. Note that if we choose ` of these sub-problems such that the

46

nodes don’t overlap, then the edges were chosen independently between eachinstance! Specifically consider all vectors of the form x = 〈x2, . . . , xk〉 ∈ Zk−1` .Then let

Sx = P i1 ∪ Pi+x22 ∪ . . . ∪ P i+xk

k |∀i ∈ [1, `]

be the set of all independent partitions. Now, note that ∪x∈Zk−1`

Sx is the fullset of all possible `k subproblems, and the total number of problems in all Sx

is `k, so once again brute-forcing each Sx takes time O((` · n)k). We depict thissplitting in Figure 3.

Figure 3: A depiction of splitting the subproblems for a case where ` = 2 andk = 3.

Note that producing these each of these ` instances is efficient, it takes timeO(n2), which is just the input size.

Next, we will show that the correct number of solutions are generated. IfI has only one solution then exactly one Ij in exactly one Sx has a solution.This is because any zero-k-clique in I must involve exactly one node from eachpartition Pi. So, if there is one zero-k-clique it will only appear in subproblemswhere the node from partition Pi is in P ji and P ij appears in that subproblem.There is exactly one sub-problem generated with a specific choice of k sub-partitions. So, exactly one Ij in exactly one Sx has a solution.

Let S∗ be the list Sx that contains a Zero-k-Clique. We have that the Sx whichactually contains an instance with a solution is drawn from

I1, . . . , IxIi∼D1,∧∀j 6=i,Ij∼D0.

This distribution is exactly what we require for a list-problem. All that is leftto show is if we have PFT`·nk adversary A that can identify for which index ithere is a zero k-clique in S∗ (with probability at least 7/10), we can use A tofind the clique.

Now, recall that we are trying to solve a search problem: we need to be ableto turn an index pointing to partitions into a witness for the original problem.

47

According to the strong Zero-k-Clique hypothesis, this search requires O(nk)time. However, as long as ` = nΩ(1), this is still faster in a fine-grained sense.

On an input I from D1, algorithm B uses A as follows:

– Randomly partition each Pi from I into ` parts.– For every x ∈ Zk−1` :• Generate the list Sx.• Run A(Sx) to get output i.• Brute force search the size-n2 Zero-k-Clique instance Sx[i] = (P i1, . . . , P

i+xk

k )for a solution. If one exists, output it, otherwise, continue.

The first step only takesO(`·n) time since we are only divvying up `n nodes.The second step requires a bit more analysis. The loop runs at most `k−1 times.Each time the loop runs, it only takesO(` ·n) time to construct Sx, whileA takesO((` ·nk)(1−ε)) (since it is PFT`·nk ), and our brute force check takes O(nk) time.Putting this together, the algorithm takes a total time of

O(` · n+ `k−1((` · nk)(1−ε) + nk + ` · n)) = O(`k−εnk(1−ε) + `k−1nk) + `k · n.

Both terms in this sum are strictly less than the hypothesized `knk time, and soB is PFT(`n)k , contradicting the strong Zero-k-Clique hypothesis.

The reason we require `(n) = nΩ(1) is because if it were less than polynomialin n, we would not get noticeable improvement through this method of splittingup the problem into several sub-problems — the brute force step would take aslong as solving the original problem via brute force. ut

Zero-k-Clique is Splittable Next we show that zero-k-clique is splittable. Westart by proving this for a convenient range and then show we can use a reduc-tion to get more arbitrary ranges.

Splitting the problem over a convenient range. Intuitively we will split the weightsin half bit-wise, taking the first half of the bits of each edge weight, and then wetake the second half of the bits of each edge weight to make another instance.If the

(k2

)weights on a k clique sum to zero then the first half of all the weights

sum to zero, up to carries, and the second half of all the weights sum to zero,also up to carries. We simply guess the carries.

Lemma 7. Zero-k-Clique is generalized splittable with error ≤ 4((k2

)+ 1)nk/

√R

when R = 4x for some integer x.

Proof. We are given an instance of Zero-k-Clique I with k partitions, P1, . . . , Pkof n nodes and with edge weights generated uniformly at random from [0, R−1], where R = 22x for some positive integer x.

First we will define some helpful notation to describe our procedure.

– Let ZkC[R] denote the Zero-k-Clique problem over range R.

48

– Let w(Pi[a], Pj [b]) be the weight of the edge in instance I between the ath

node in Pi and the bth node in Pj .– Let u be some number in the range [0, R−1]. Let u↑ be the high order lg(R)/2

bits of the number u (this will be an integer because R is a power of 4). Letu↓ be the low order lg(R)/2 bits of the number u.For the sake of notation, w↑(Pi[a], Pj [b]) denotes [w(Pi[a], Pj [b])]

↑, and samefor w↓(Pi[a], Pj [b]) denoting [w(Pi[a], Pj [b])]↓.

Here is the reduction to take one instance of ZkC[R] and create a list of pairsof instances of ZkC[

√R].

1. Take the ZkC[R] instance I and create two instances of ZkC[√R], Ilow and

Ihigh by the following:– For every edge (Pi[a], Pj [b]) in I , let the corresponding edge in Ilow have

weightw↓(Pi[a], Pj [b]) and the edge in Ihigh have weightw↑(Pi[a], Pj [b]).2. For every c ∈ [0,

(k2

)] (we need only check

(k2

)possible carries):

(a) Let Ic1 be a copy of Ilow, but randomly permute all nodes.(b) Let Ic2 be a copy of Ihigh, but choose a random pair of a partitions Pi and

Pj : for all edges e2 ∈ Ic2 between Pi and Pj , a copy of edge e ∈ Ihigh, letw(e2) = w(e) + c mod

√R.

3. Output the list [(I(0)1 , I(0)2 ), . . . , (I

((k2))1 , I

((k2))2 )]

For a visual aid, see figure 4 for a depiction of the splittable triangles.We will now show that we get the desired distributions in our list of in-

stances depending on whether I ∼ D0(ZkC[R], n) or I ∼ D1(ZkC[R], n).

– I ∼ D0(ZkC[R], n). We need to show that every pair (I(c)1 , I(c)2 ) is sampled

from a distribution total variation distance≤ 2nk/√R fromD0(ZkC[

√R], n)2.

Note that every pair is correlated very heavily with every other pair with re-spect to edge weights. But, within each pair, they are close toD0(ZkC[

√R], n)2.

From lemma 5, this is TVD at most nk

R from just choosing edge-weights uni-formly at random. So, consider I ′ ∼ Generate(n, 0), and do the same opera-tions as for I in the reduction: every bit in every edge weight will be chosenuniformly at random, meaning that the edge-weights in I ′low and I ′high willalso be uniform over

√R. Permuting the nodes in I ′low does not change this

distribution, and neither does adding (any) c to a subset of edges in I ′high.

Therefore, using lemma 5, both I′(c)1 and I

′(c)2 are TVD at most nk

√R

from

D0(ZkC[√R], n). Since TVD is a metric, this implies that I(c)1 is TVD at most

nk/√R from the distribution of I ′(c)1 , and thus at most nk/

√R+ nk/R from

D0(ZkC[√R], n) — the same is true for I(c)2 , even when conditioned on I(c)1 .

Therefore, the pair, for every c, is TVD at most 2(nk/√R+ nk/R) ≤ 4nk

√R

.– I ∼ D1(ZkC[R], n). We want to show that we get a list in which exactly one

of the pairs of instances is distributed close to D1(ZkC[√R], n)2.

We will take a similar approach here, considering the planted distributionof I instead of the true one. Let I ′ ∼ Generate(n, 1), so by lemma 6, I ′ is

49

TVD at most 2nk/R from D1. We will first show that I ′low is also drawnfrom a planted distribution over the range

√R. Let e′ be the edge’s weight

that was changed to plant a zero clique. Now, for every edge except e′low,the edges of I ′low are distributed uniformly. e′ is a randomly chosen edgecorresponding to a randomly chosen clique in I ′, and therefore e′low is alsoa randomly chosen edge corresponding to a randomly chosen clique in I ′low.The act of making that clique sum to 0 mod R also requires that the low-order bits sum to 0 mod

√R — otherwise the high-order bits cannot cancel

out anything left over. Therefore, by setting w(e′) to the value making theclique sum to 0, we are exactly planting a clique in I ′low. This distributionhas TVD≤ 2nk

√R

fromD1(ZkC[√R], n). Because I ′(c)1 is just a permutation on

the nodes of I ′low for every c, I ′(c)1 will have TVD at most 2nk√R

from D1 aswell.Now, we need that at least one of the pairs in this list to be close toD1(ZkC[

√R], n)×

D1(ZkC[√R], n). It will turn out that there exists a c such that I ′(c)2 will also

be close to D1 (whereas I ′(c)1 is distributed close to D1 for every c). Let c∗

be the correct carry — that is for the clique planted in I ′,∑e∈clique w↓(e) =√

Rc∗ mod R. Now, without loss of generality, we can assume that in theplant of I ′, the edge e∗ chosen to complete the zero-k clique was betweenpartitions Pi and Pj . So, considering every other edge in I

′(c∗)2 , it is dis-

tributed uniformly at random (adding c∗ will not change that distribution).Now, for that special clique C∗ that was planted in I ′, we have that∑

e∈C∗w(e) =

√R ·

∑e∈C∗

w↑(e) +∑e∈C∗

w↓(e)

=√R(∑e∈C∗

w↑(e) + c∗)

=√R(w↑(e∗) + c∗ +

∑e∈C∗,e6=e∗

w↑(e)) = 0 mod R

Since the quantity√R(w↑(e∗) + c∗ +

∑e∈C∗,e6=e∗ w

↑(e)) is 0 mod R, thenw↑(e∗) + c∗ +

∑e∈C∗,e6=e∗ w

↑(e) = 0 mod√R.

This means that I ′(c∗)

2 is drawn from Generate(n, 1) over the range√R. Since

TVD is a metric, we have that for I ∼ D1(ZkC[√R], n) (TVD at most nk

R

from Generate(n, 1)), there exists a c∗ such that I(c∗)

2 is TVD at most 2nk√R

from

D1 — even when dependent on I(c∗)

1 . Therefore, the TVD of (I(c∗)

1 , I(c∗)2 ) =

Split(I) to D21 is at most 4nk

√R

.

Therefore, when I ∼ D0(ZkC[R], n), we get a list of pairs of instances TVD≤ 4nk/

√R from D0(ZkC[R], n)2; the probability that any of these pairs here err

is ≤ ((k2

)+ 1) · 4n

k√R

by a union bound. Similarly, when I ∼ D1(ZkC[R], n), we

50

get there exists a pair in this list of the form D1(ZkC[R], n)2; the probability oferring here is ≤ 4nk

√R.

Therefore, the total error here is ≤ ((k2

)+ 1) · 4n

k√R

. ut

Zero-k-Clique is Splittable Over Any Large Enough Range. Our techniques alsogeneralize to any large enough range (even ones not of the form 4x). For ex-ample, if you believe that the problem is hard only over a prime range, we canprove that as well. As stated, our error is

(k2

)4(

k2)3nk/

√R = O(nk/

√R). For this

to be meaningful, R = Ω(n2k), and in our constructions, R is Ω(n6k). We willshow in the next section why the zero k-clique problem is still hard over theselarger ranges.

Theorem 14. Zero-k-clique is generalized splittable over any range R, with error ≤(k2

)4(

k2)3nk/

√R.

Proof. Given an instance I with range R we will produce ≤(k2

)4(

k2) instances,

corresponding to guesses over what ranges the clique edge weights fall into.Take the next smallest power R′ = max22x|22x < R and x ∈ Z. Now let

c = dR/R′e. We will now create c subsets of R each of size R′. Si = [R′i, R′(i+1) − 1] for i ∈ [0, c − 2] and Sc−1 = [R − R′, R − 1]. Note that these subsetscompletely cover the range [0, R− 1] and are each of size ≤ R′. Let ∆i = R′i fori ∈ [0, c− 2] and ∆c−1 = R−R′.

Let the partitions of I be P1, . . . , Pk. Let the set of edges between Pi and Pjbe Ei,j . For all i, j pairs i 6= j we will choose a number between [0, c − 1]. Call

these numbers gi,j and the full list of them g. For all possible choices of g ∈ Z(k2)c

and d ∈ [0,(k2

)− 1] we will generate an instance Ig,d over range R′ as follows:

For edge set Ei,j that isn’t E1,2, for every edge in that edge set e ∈ Ei,j if theweight of e, w(e) ∈ Sgi,j then set wg,d(e) = w(e) mod R′, if w(e) 6∈ Sgi,j thenset wg,d to be a weight chosen uniformly at random from [0, R′ − 1]. Now notethat these values are completely uniform over the range from [0, R′ − 1].

For E1,2 , for every edge in that edge set e ∈ E1,2 if the weight of e, w(e) ∈Sg1,2 then set wg,d(e) = w(e) + dR mod R′, if w(e) 6∈ Sg1,2 then set wg to be aweight chosen uniformly at random from [0, R′−1]. Now note that these valuesare also completely uniform over the range from [0, R′ − 1].

If no clique existed in the original instance then the chance that one is pro-duced here is bounded by nk/R′ ≤ nk4/R′ by Lemma 5. Because we make somany queries this chance that any of them induce a clique is ≤

(k2

)4(

k2)nk4/R′.

If the original instance was drawn from Dzkc1 [R,n] then by Lemma 6 this

is only ≤ nk/R + nk−2/R total variation distance away from the instance gen-erated by choosing each edge at random and then planting a clique. Then theprocedure produces uniformly looking edges except for the planted edge. Inthe generated instance where the original zero clique edge weights are in g andthe zero k-clique sums to dR then the instance Ig,d will have that planted edgeset to the value such that zero k-clique from the original is a planted instance.

51

So, that produced instance is drawn from a distribution with total variationdistance ≤ nk/R′ + nk−2/R′ from Dzkc

1 [R′, n].Then we use the splitting procedure from Lemma 7 to generate two in-

stances from each of our generated instances. The probability of a no instancebecoming a yes instance is ≤

(k2

)4(

k2)3nk/

√R, if there is a yes instance then it

will generate a yes instance and have total variation distance at most≤(k2

)4(

k2)3nk/

√R

from Dzkc1 [√R′, n]2. ut

B.4 Larger Ranges for Zero-k-Clique are as Hard as Smaller Ranges.

We note that our constructions work for a large range: R = Ω(n6k). This theo-rem states that finding zero k-cliques over smaller ranges is as hard as findingthem over larger ones. So, if you believe that Zero-k-Clique is hard over a rangewhere an uniformly sampled instance is expected to have one solution (e.g. asmall range like O(nk)), we can show that this implies larger ranges, which areused extensively in our constructions, are also hard.

Theorem 15. Strong Zero-k-Clique-R Hypothesis for range R = nck is implied bythe Random Edge Zero-k-Clique Hypothesis if c > 1 is a constant.

Proof. Create n(1−1/c) random partitions of the nodes where each partition is ofsize n1/c. Then generate n(1−1/c)k graphs by choosing every possible choice ofk partitions.

This results in n(1−1/c)k problems of size n1/c with range nk.If an algorithmA violated Strong Zero-k-Clique-R Hypothesis for range nck

then it must have some running time of the form O(nk−δ) for δ > 0. We couldrunA on all n(1−1/c)k problems, resulting in a running time of nk/c−δ/cn(1−1/c)k =O(nk−δ/c) for the Random Edge problem. If we find a valid zero-k-clique thenwe return 1. If we don’t we return 0 with probability 1/2 and 1 with probability1/2.

Let p1 be the probability that any one of the nk/c has exactly one zero clique,conditioned on val(I) = 1 (that there is at least one solution).

If Strong Zero-k-Clique-R Hypothesis is violated then we return the correctanswer with the probability at least p1 1

100 + (1 − p1/100)/2 = 1/2 + p11

200 . So,we now want to lower bound the value of p1.

The probability that there are more than 2 cliques in a subproblem of sizen1/c, conditioned on there being at least one clique is at most n−k(1−1/c). Be-cause to generate the distribution of problems of size n1/c with at least oneclique one can plant a clique (randomly choose k nodes and randomly choose(k2

)−1 edge weights, then choose the final edge weight such that this is a zero k-

clique). The expected number of cliques other than the planted clique is n1/c−1nk

and the number of cliques other than the planted clique is a non-negative inte-ger.

So conditioned val(I) = 1 we have that p1 ≥ 1 − n−k(1−1/c). So the proba-bility of success, conditioned on val(I) = 1 is at least p1/100 ≥ 1/200.

52

C Key Exchange Proofs

Here we put the technical proofs of our key exchange. While the intuition forthese proofs is straightforward, getting the details and constants correct re-quires more careful attention.

C.1 Proof of Correctness

First, we will prove Lemma 1. We have restated the lemma below.

Lemma 8. After running construction 4, Alice and Bob agree on a key k with proba-bility at least 1− 1

10,000`e .

Proof. Since we are allowing interaction, the only way Alice and Bob can fail isif one of Alice’s Generate(n, 0) contains a solution that overlaps with SB , one ofBob’s Generate(n, 0) contains a solution that overlaps with SA, and SA∩SB = ∅.

First, let’s compute p0 = Pr[SA∩SB = ∅]. We have p0 =∏√`i=0

(`−√`−i`

), the

chance that every time Bob chooses an element for SB , he does not choose anelement in SA. Rearranging this expression, we have

p0 =

√`−1∏i=0

(`−√`− i`

)=

√`−1∏i=0

(1−√`+ i

`) ≤

√`−1∏i=0

(1− 1√

`

)=

(1− 1√

`

)√`≈ 1

e

Now, assuming that SA and SB do not intersect, we need to compute theprobability that both Alice and Bob see an incorrectly generated instance (gen-erated by Generate(n, 0), but contains a solution). Let εplant ≤ 1

100` be the plant-ing error. Since there is no overlap between SA and SB , these probabilities areindependent. The probability that SA overlaps is at most

√`εplant ≤ 1

100√`

via a union bound over all√` instances corresponding to the indices in SA.

Therefore, the probability that this happens for both Alice and Bob is at most1

10,000` =( √

`10,000`

)2.

Thus, the probability that this event occurs is at most 110,000`e , and it is the

only way the protocol ends without Alice and Bob agreeing on a key.Therefore, the probability Alice and Bob agree on a key at the end of the

protocol is 1− 110,000`e . ut

C.2 Proof of Soundness

Here we will go over the full proofs that an adversary, Eve, must take moretime that Alice and Bob to obtain the exchanged key. First, we upper bound thetime Alice and Bob take. Then, we lower-bound the time Eve requires to breakthe key exchange assuming that we have a `(n)-KER problem P .

Lemma 9. If a problem P is `(n)-KER with plant time G(n), solve time S(n) andlower bound T (n) when `(n) > 100, then Alice and Bob take expected timeO(`G(n)+√`S(n)) to run the key exchange based on P .

53

Proof. First, we will compute a bound on the number of times Alice and Bobneed to repeat the key exchange before they match on exactly one index. Aliceand Bob repeat any time there isn’t exactly one overlap between SA and SB orthe key exchange fails, as described in the proof of Lemma 1. Since the prob-ability of the bad event happening is small, ≤ 1/(10, 000e`), we will ignore it.Instead, saying

Pr[Key Exchange Stops after this round]= Pr[bad event] + Pr[Exactly one overlap| no bad event] · Pr[no bad event]

≥ 1

2Pr[Exactly one overlap| no bad event] = Pr[ Exactly one overlap]/2.

Computing the probability that there is exactly one overlap. Let p0 and p1 be theprobability that there are zero overlaps and exactly 1 overlap respectively. First,using similar techniques as in the proof of Lemma 1, we show that p0 ≥ 1

e2

p0 =

√`−1∏i=0

(1−√`+ i

`) ≥

√`−1∏i=0

(1− 2

√`

`

)=

(1− 2√

`

)√`≈ 1

e2.

A combinatorial argument also tells us that p0 =(`−√`√

`

)/(√`

)since there are(

√`

)possible ways to choose SA independent of SB , but if we want to ensure

no overlap between SA and SB , we need to avoid the√` locations in SB , hence(`−√`√

`

)choices for SA. Then, we have p1 =

√` ·(`−√`√

`−1)/(√`

)because there are√

` places to choose from to overlap SA with SB , and then we must avoid the√`− 1 locations in SB for the rest of the

√` elements in SA.

Now we will compute a bound on p1 by first showing p1p0≥ 1:

p1p0

=

√`(`−√`√

`−1)(

√`

) ·(√`

)(`−√`√`

)=

√`(`−

√`)!

(√`− 1)!(`− 2

√`+ 1)!

· (√`)!(`− 2

√`)!

(`−√`)!

=(√`)2

`− 2√`+ 1

=`

`− 2√`+ 1

≥ 1

Now, we have that p1 = p1p0· p0 ≥ 1 · 1

e2 ≥ 1/10.Finally, putting this all together, the probability that Alice and Bob stop af-

ter a round of the protocol is at least 120 . And so, we expect Alice and Bob to

stop after a constant number of rounds. Each round consists of calling Generate

` times and solving√` instances; so, each round takes `G(n) +

√`S(n) time.

Therefore, Alice and Bob take O(`G(n) +√`S(n)). ut

Now, proving a lower bound on Eve’s time.

54

Lemma 10. If a problem P is `(n)-KER with plant time G(n), solve time S(n) andlower bound T (n) when `(n) ≥ 214, then an eavesdropper Eve, when given the tran-script IT , requires Ω(`(n)T (n)) to solve for the shared key.

Proof. This proof requires two steps: first, if Eve can figure out the shared keyin time PFT`(n)T (n) time with advantage δEve, then she can also figure out theindex in PFT`(n)T (n) time with probability δEve/4. Then, if Eve can computethe index with advantage δEve/4, we can use Eve to solve the list-version ofP in PFT`(n)T (n) with probability δEve/16, which is a contradiction to the list-hardness of our problem.

Finding a bit finds the index. This is just the Goldreich-Levin (GL) trick usedin classical cryptography to convert OWFs to OWFs with a hardcore bit. Wehave to be careful in this scenario since the security reduction for GL requirespolynomial overhead (O(N2)). However, this is only because we are trying tofind N bits based off of linear combinations of those bits. If instead we weretrying to find poly logN bits, we would only require poly logN time to do sowith this trick. i ∈ `(n) is an index, so |i| = log(`(n)). Because `(n) is polynomialin n, |i| is polynomial in the log of n, therefore, using the same techniques asused in the proof of Theorem 10, being able to determine i⊕r with δ advantageallows us to determine i in the same amount of time, with probability δ/4.

Finding the index solves P Now, let I = (I1, . . . , I`) be an instance of the listproblem for P : for a random index i, Ii ← D1, and for all other j 6= i, Ij ← D0.Because P is generalized splittable, we can take every Ii and turn it into a listof m instances. With probability 1 − `εsplit, we turn I to m different instances:for every c ∈ [m], I(c) = ((I

(1,c)1 , I

(2,c)1 ), . . . (I

(1,c)` , I

(2,c)` )). For all c and j 6= i,

(I(1,c)j , I

(2,c)j ) ∼ D0×D0, and for at least one c∗ ∈ [m], (I(1,c

∗)i , I

(2,c∗)i ) ∼ D1×D1.

Because P is plantable, for√`−1 random coordinates h ∈ [`], for all c ∈ [m], we

will change I(1,c)h to I ′(1,c)h ∼ Generate(n, 1), and for√`− 1 random coordinates

g ∈ [`], disjoint from all h’s, for every c ∈ [m], we will similarly plant solutionsin the second list, changing I(2,c)g to I ′(2,c)g ∼ Generate(n, 1).

Note that there are ` instances and Eve returns a single index. We can verifythe correctness by brute forcing a single instance in the list instance. When `is polynomial in n then the time to brute force is polynomially smaller thanthe time required to solve the list instance. We will need to brute force m ofthese instances (one for each of the m produced pairs of lists). When `/m =n−Ω(1), the total time for all the brute forces is polynomially smaller than thetime required for solving a single list instance. This is how we deal with the“dummy” instances produced with by the splittable construction.

Now, notice that we have changed the list version of the problem into m

different lists of pairs of instances,(

I(c)1 , I

(c)2

)c∈[m]

, and there exists a c∗ such

that the c∗’th list is distributed, with probability O(1 − 1/√`), indistinguish-

ably to the transcript of a successful key exchange between Alice and Bob. We

55

planted√` − 1 solutions into random indices, and as long as we avoided the

index with the solution (which happens with probability 1− 2√`), the rest of the

pairs will be of the form D0 × D0 with exactly one coordinate of overlappinginstances with solutions. That coordinate will be the same as the index in thelist problem with the solution.

So, since we are assuming Eve can run in PFT`(n)T (n) time and we can cre-ate instances that look like key-exchange transcripts from list-problems, we canrun Eve on each of these m different list-pair problems, and as long as she an-swers correctly for the c∗ instance, we can solve our original problem in timeO((`(n)T (n))1−δ) for δ > 0. This is a contradiction to the hardness of the listproblem, meaning Eve’s time is bounded by Ω(`(n)T (n)).

Analyzing the error in this case, when the key exchange succeeds, the totalvariation distance between an instance of the list problem being split and theoriginal key-exchange transcript is bounded above by the following two sides:

– For the c∗ that splits the D1 instance of the list into one sampled from D1 ×D1, this succeeds with probability 1− εsplit · `.

– Given that we successfully split, the distance between the generated pairsof lists after we plant

√`− 1 instances with a solution between this and the

idealized list of (Db, Db′) instances with one (D1, D1),√` − 1 of the form

(D1, D0) and√`−1 of the form (D0, D1) is at most 2√

`+(1− 2√

`)(√`·εplant) ≤

2√`+√`εplant.

– For the generated instances generated in a successful key exchange tran-script, the error between this and the idealized list-pairs (described above)is at most ` · εplant.

– Recall that εplant, εsplit ≤ 1100` and that ` ≥ 214. So, combined, the key-

exchange transcript distribution and splitting the list-hard problem distri-bution are indistinguishable with probability at most

1− (εsplit`+2√`+√`εplant + `εplant)

= 1− (`(εsplit + εplant) +√`εplant +

2√`)

≥ 1− (`(2

128`) +

1

128√`+

2√`)

≥ 1− (2

128+

2

128+

1

1282) = 1− 1

32− 1

214

> 1− 1

31

Therefore, the total variation distance between key-exchange transcripts andthe transformed ACLH instances is at most 1

31 .Now, recall that if we have a PFT`(n)T (n) algorithm E that resolves the

single-bit key with advantage δ, then there exists a PFT`(n)T (n) algorithm E∗

that resolves the index of the key exchange transcript with probability δ/4.

56

Let Transf be the algorithm that transforms an ACLH instance I to the key-exchange transcript (with TVD from a successful key-exchange transcript of134 ) Therefore, the probability that we fool Eve into solving our ACLH problemis

Pr[E∗(Transf(I)) = i] ≥ δ/4− 1

31≥ 1

16− 1

31>

1

34

Now, since the ACLH problem P allows for PFT`(n)T (n) adversaries to haveadvantage at most 1

34 , this is a contradiction. Therefore, there does not exist aPFT`(n)T (n) eavesdropping adversary that can resolve the single bit key withadvantage 1

4 (so resolving the key with probability 1/2 + 1/4 = 3/4). ut

We note that the range, R ≈ n6k in the above corollary may be consideredto be “too large” if you believe the hardness in the problem comes from a rangewhere were are expected to get one solution with probability 1/2 (R = O(nk)).So, in the next corollary, we address that problem, getting the key exchangeusing this much smaller range.

We will now provide the proof for Corollary 2. We will repeat The text ofthe Corollary here.

Corollary 2. Given the strong Zero-k-Clique-R Hypothesis over range R =`(n)2n2k, there exists a(`(n)T (n), 1/4, insig(n))-FG-KeyExchange, where Alice and Bob can exchange asub-polynomial-sized key in time O

(nk√`(n) + n2`(n)

)for every polynomial `(n) =

nΩ(1).There also exists a `(n)T (n)-fine-grained public-key cryptosystem, where we can

encrypt a sub-polynomial sized message in time O(nk√`(n) + n2`(n)

).

Both of these protocols are optimized when `(n) = n2k−4.

Proof. This comes from the fact that strong Zero-k-Clique-RHypothesis impliesthat Zero-k-Clique is a KER problem by Theorem 14, Theorem 13, and Theorem12. So we can use construction 4 to get the key-exchange by theorem 5 and ??.

The optimization comes from minimizing O(nk√`(n) + n2`(n)

), which is

simply to set nk√`(n) = n2`(n). This results in `(n) = n2k−4.

The gap between honest parties and dishonest parties is computed as fol-lows. Honest parties take H(n) = O(`(n)n2) = O(n2k−2). Dishonest partiestake E(n) = O(`(n)nk) = O(n3k−4). We have that E(n) = H(n)t where t =3k−42k−2 , which approaches 1.5 as k → ∞. So, we have close to a 1.5 gap betweenhonest parties and dishonest ones as long as we assume T (n) = nk. ut

Corollary 4. Given the strong Zero-k-Clique-R Hypothesis over range R = nk,where `(n) is polynomial, there exists a (`(n)T (n), 1/4, insig(n))-FG-KeyExchange,where Alice and Bob can exchange a sub-polynomial-sized key in time O

(nk√`(n) + n2`(n)

)for every polynomial `(n) = nΩ(1).

There also exists a `(n)T (n)-fine-grained public-key cryptosystem, where we canencrypt a sub-polynomial sized message in time O

(nk√`(n) + n2`(n)

).

57

Both of these protocols are optimized when `(n) = n2k−4.

Proof. Using Corollary 2 and Theorem 15 we can use the hardness of strongZero-k-Clique-R Hypothesis over range R = nk to show hardness for strongZero-k-Clique-R Hypothesis over range R = `(n)2n2k. ut

58

0010 0101

1001

00 01

10

10 01

01

0111 0110

0011

01 01

00 11

1011

(A)

(B)

00 10

10

10 01

01

01 10

00 11

1011

00 11

10

10 01

01

High order bits Low order bits

01 11

00 11

1011

Carry

c=0

c=1

c=2

c=0

c=1

c=2Correct Carry

Correct Carry

Figure 4: An example of splitting the edges of triangles whose edges sum to 16.

59